delta/bubblewrap.git - github.com: projectatomic/bubblewrap.git

tag name	v0.2.0 (c52ace463d456554c17ede36ea9b1669e867365b)
tag date	2017-10-09 10:29:56 -0400
tagged by	Colin Walters <walters@verbum.org>
tagged object	commit b3fe1718b6...
download	bubblewrap-0.2.0.tar.gz

Release 0.2.0

Some new features in this release, and a variety of contributors, which is always great to see! On the bugfix side: bwrap now automatically detects the new user namespace restrictions in Red Hat Enterprise Linux 7.4: `bubblewrap: check for max_user_namespaces == 0`. PR: https://github.com/projectatomic/bubblewrap/pull/215 The most notable features are new arguments `--as-pid1`, and `--cap-add`/`--cap-drop`. These were added for running systemd (or in general a "full" init system) inside bubblewrap. But the capability options are also useful for unprivileged callers to potentially retain capbilities inside the sandbox (for example `CAP_NET_ADMIN`), when user namespaces are enabled. Conversely, privileged callers (uid 0) can conversely drop capabilities (without user namespaces). Contributed by Giuseppe Scrivano. PR: https://github.com/projectatomic/bubblewrap/pull/101 Another smaller feature is: `With --dev, add /dev/fd and /dev/core symlinks` which should improve compatibility with older software. PR: https://github.com/projectatomic/bubblewrap/pull/207 Philip Withnall ran bwrap through Coverity; no critical issues were found, but changes were made to pacify the analysis and we'll be sure to keep the analyzer happy in the future. Thanks in particular to Simon McVittie who contributed a lot of improvements to the test suite, code review, as well as identified an issue with the licensing of the logo. Thanks to all contributors! ``` Alexander Larsson (1): Merge pull request #196 from giuseppe/no-reaper Colin Walters (9): demos/shell: Use --die-with-parent main: Squash a -Wunused-result error, enable FORTIFY_SOURCE in CI tests: Import libtest-core.sh from ostree README.md: Delete cat logo picture (not DFSG compliant) Retain all caps when invoked by uid 0, work around systemd seccomp filter main: Fix typo, tweak command line argument descriptions With --dev, add /dev/fd and /dev/core symlinks Avoid leaking --args-fd to child process Release 0.2.0 Giuseppe Scrivano (8): bubblewrap: add --as-pid-1 bubblewrap: add --cap-add and --cap-drop bubblewrap: add option --userns-block-fd demos: add demo userns-block-fd.py bubblewrap.c: fix typo bubblewrap: do not always leave caps in the unprivileged case tests: add tests for --cap-add README.md: add bwrap-oci to the list of users Jonathan Lebon (1): ci: rename files to new name and bump to f26 Marcos Paulo de Souza (3): bubblewrap: Remove not needed MS_MGC_VAL mount flag bubblewrap.c: Fix typo secomp -> seccomp in drop_all_caps acquire_privs: Cosmetic change to reduce indentation Philip Withnall (4): bubblewrap: Improve const-correctness of argv handling bubblewrap: Fix a minor memory leak in --args handling bubblewrap: Close FDs on exiting PID 1 bubblewrap: Add various assertions on SetupOp handling Simon McVittie (10): Distribute test helper library tests: Don't write to predictable filenames in /tmp tests: Improve diagnostics if non-root caps test fails tests: Send diagnostics to stderr tests: Interpret stdout as TAP syntax tests: Produce finer-grained TAP output tests: Ensure non-root users have access to libcap tools Partially revert "bubblewrap: Fix a minor memory leak in --args handling" tests: Add basic test coverage for --args tests: Fix a race condition between attempts to lock a file Tristan Cacqueray (1): bubblewrap: check for max_user_namespaces == 0 Vasya Novikov (4): add --unshare-all completion bash completion: remove duplicates bash completion: fix code style bash completion: add --new-session Vladimir Panteleev (1): Prefix error messages with program name ``` Git-EVTag-v0-SHA512: 6eafa80a60be2cd66396ab7d4a36e7c6c24ed0b0d8dc207ecee6252e7d45f04fd04e1997c60218f0bb8b90e60ee80ed46cc7d8b521b08cb1ba4450440ee646cf -----BEGIN PGP SIGNATURE----- iQFHBAABCgAxFiEEq5KKnPjdBikJw3u93EX9WSHBPwsFAlnbh+QTHHdhbHRlcnNA dmVyYnVtLm9yZwAKCRDcRf1ZIcE/C6lGB/wMI6ss1S12TP1F6sroV6UALqzMOA4F MOv8wbKvsURWxL+aXSDIg9Pm9pOTFTWAQhtsZ1ET6I4PjGo6NRmNbQH2CsRb9oVr 2bJdZZwEpd8YG/WRcyja/Wqj6KP45BVFYOaakCtdyqyZqinyaBCqmL+3rfREte6Q +pKlkGaV/8onBR7Gf/jfSj6nAMdSOuEC88iDQCscBocA63FGDACyECt6Ra6NC2Pt y2HWkmSyhcGsmufTT22Q7crDXMUH+A+AWR66y+1JOSUYEGv45ZsRA2i/qMqN5uqM iEQ45FbQo2A8qnNTjxA+bTUpu/nwgmYzPAS8AbycQ0Qv1l0LQg8vAuRL =HFFP -----END PGP SIGNATURE-----