tag name | v0.2.0 (c52ace463d456554c17ede36ea9b1669e867365b) |
tag date | 2017-10-09 10:29:56 -0400 |
tagged by | Colin Walters <walters@verbum.org> |
tagged object | commit b3fe1718b6... |
download | bubblewrap-0.2.0.tar.gz |
---|
Release 0.2.0
Some new features in this release, and a variety of contributors, which is
always great to see!
On the bugfix side: bwrap now automatically detects the new
user namespace restrictions in Red Hat Enterprise Linux 7.4:
`bubblewrap: check for max_user_namespaces == 0`.
PR: https://github.com/projectatomic/bubblewrap/pull/215
The most notable features are new arguments `--as-pid1`, and
`--cap-add`/`--cap-drop`. These were added for running systemd (or in general a
"full" init system) inside bubblewrap. But the capability options are also
useful for unprivileged callers to potentially retain capbilities inside the
sandbox (for example `CAP_NET_ADMIN`), when user namespaces are enabled.
Conversely, privileged callers (uid 0) can conversely drop capabilities (without
user namespaces). Contributed by Giuseppe Scrivano.
PR: https://github.com/projectatomic/bubblewrap/pull/101
Another smaller feature is: `With --dev, add /dev/fd and /dev/core symlinks`
which should improve compatibility with older software.
PR: https://github.com/projectatomic/bubblewrap/pull/207
Philip Withnall ran bwrap through Coverity; no critical issues
were found, but changes were made to pacify the analysis and we'll
be sure to keep the analyzer happy in the future.
Thanks in particular to Simon McVittie who contributed a lot of improvements
to the test suite, code review, as well as identified an issue with the
licensing of the logo.
Thanks to all contributors!
```
Alexander Larsson (1):
Merge pull request #196 from giuseppe/no-reaper
Colin Walters (9):
demos/shell: Use --die-with-parent
main: Squash a -Wunused-result error, enable FORTIFY_SOURCE in CI
tests: Import libtest-core.sh from ostree
README.md: Delete cat logo picture (not DFSG compliant)
Retain all caps when invoked by uid 0, work around systemd seccomp filter
main: Fix typo, tweak command line argument descriptions
With --dev, add /dev/fd and /dev/core symlinks
Avoid leaking --args-fd to child process
Release 0.2.0
Giuseppe Scrivano (8):
bubblewrap: add --as-pid-1
bubblewrap: add --cap-add and --cap-drop
bubblewrap: add option --userns-block-fd
demos: add demo userns-block-fd.py
bubblewrap.c: fix typo
bubblewrap: do not always leave caps in the unprivileged case
tests: add tests for --cap-add
README.md: add bwrap-oci to the list of users
Jonathan Lebon (1):
ci: rename files to new name and bump to f26
Marcos Paulo de Souza (3):
bubblewrap: Remove not needed MS_MGC_VAL mount flag
bubblewrap.c: Fix typo secomp -> seccomp in drop_all_caps
acquire_privs: Cosmetic change to reduce indentation
Philip Withnall (4):
bubblewrap: Improve const-correctness of argv handling
bubblewrap: Fix a minor memory leak in --args handling
bubblewrap: Close FDs on exiting PID 1
bubblewrap: Add various assertions on SetupOp handling
Simon McVittie (10):
Distribute test helper library
tests: Don't write to predictable filenames in /tmp
tests: Improve diagnostics if non-root caps test fails
tests: Send diagnostics to stderr
tests: Interpret stdout as TAP syntax
tests: Produce finer-grained TAP output
tests: Ensure non-root users have access to libcap tools
Partially revert "bubblewrap: Fix a minor memory leak in --args handling"
tests: Add basic test coverage for --args
tests: Fix a race condition between attempts to lock a file
Tristan Cacqueray (1):
bubblewrap: check for max_user_namespaces == 0
Vasya Novikov (4):
add --unshare-all completion
bash completion: remove duplicates
bash completion: fix code style
bash completion: add --new-session
Vladimir Panteleev (1):
Prefix error messages with program name
```
Git-EVTag-v0-SHA512: 6eafa80a60be2cd66396ab7d4a36e7c6c24ed0b0d8dc207ecee6252e7d45f04fd04e1997c60218f0bb8b90e60ee80ed46cc7d8b521b08cb1ba4450440ee646cf
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEEq5KKnPjdBikJw3u93EX9WSHBPwsFAlnbh+QTHHdhbHRlcnNA
dmVyYnVtLm9yZwAKCRDcRf1ZIcE/C6lGB/wMI6ss1S12TP1F6sroV6UALqzMOA4F
MOv8wbKvsURWxL+aXSDIg9Pm9pOTFTWAQhtsZ1ET6I4PjGo6NRmNbQH2CsRb9oVr
2bJdZZwEpd8YG/WRcyja/Wqj6KP45BVFYOaakCtdyqyZqinyaBCqmL+3rfREte6Q
+pKlkGaV/8onBR7Gf/jfSj6nAMdSOuEC88iDQCscBocA63FGDACyECt6Ra6NC2Pt
y2HWkmSyhcGsmufTT22Q7crDXMUH+A+AWR66y+1JOSUYEGv45ZsRA2i/qMqN5uqM
iEQ45FbQo2A8qnNTjxA+bTUpu/nwgmYzPAS8AbycQ0Qv1l0LQg8vAuRL
=HFFP
-----END PGP SIGNATURE-----