0.9.0

Build system

• Building this version of bubblewrap with Meson is recommended. The source release bubblewrap-0.9.0.tar.xz no longer contains Autotools-generated files, although this version can still be built using Autotools after running ./autogen.sh. Future versions are likely to remove the Autotools build system altogether.

New features

• Add --argv0 (#91)

Other enhancements

• --symlink is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (#549, flatpak/flatpak#2387, flatpak/flatpak#3477, flatpak/flatpak#5255)
• Clarify security considerations in documentation (#555, #560, #621)
• Clarify documentation for --cap-add (#562)
• Report a better error message if mount(2) fails with ENOSPC (#615, ValveSoftware/steam-runtime#637)
• Make it easier to add new unit tests (#420)
• Drop support for ancient Python versions in demo code

Bug fixes

• Fix a double-close on error reading from --args, --seccomp or --add-seccomp-fd argument (#558)
• Improve memory allocation behaviour (#556, #624)
• Silence various compiler warnings (#559)
• Silence an Automake warning (#622)
• Fix a test failure when running as uid 0 in a container (#488)
• Fix a test failure when /mnt is a symlink (#599)
• Fix a test failure on NixOS (#603)

c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1 *bubblewrap-0.9.0.tar.xz

0.8.0

New features:

• Add --disable-userns option to prevent the sandbox from creating its own nested user namespace (#488)
• Add --assert-userns-disabled option to check that an existing userns was created with --disable-userns (#488)
• Give a clearer error message if the kernel doesn't have CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER (#550)

Bug fixes:

• Fix test failure with recent versions of capsh (#544)
• Fix test failure since 0.7.0 when not using post-2013 GNU coreutils (#539)
• Fix test failure since 0.7.0 if bubblewrap is setuid (#539)

Known issues:

• Tests fail if run as root (#554)

$ sha256sum -b bubblewrap-0.8.0.tar.xz            
957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a *bubblewrap-0.8.0.tar.xz

v0.7.0

New features:

• --size option controls the size of a subsequent --tmpfs (#509)
• Better error messages if a mount operation fails (#472)
• Better error message if creating the new user namespace fails with ENOSPC (#487)
• When building as a Meson subproject, a RUNPATH can be set on the executable to make it easier to bundle its libcap dependency

Bug fixes:

• When building with Autotools, ensure initial setup for pkg-config is not disabled by --with-bash-completion-dir=PATH (#316, #342, #441)
• Fix test failures when running as uid 0 but with limited capabilities (#510)
• Use POSIX command -v in preference to non-standard which (#527)
• Fix a copy/paste error in --help (#531)

$ sha256sum -b bubblewrap-0.7.0.tar.xz 
764ab7100bd037ea53d440d362e099d7a425966bc62d1f00ab26b8fbb882a9dc *bubblewrap-0.7.0.tar.xz

0.6.2

New features in Meson build:

• Auto-detect whether the man page can be generated
• -Dbwrapdir=... changes the installation directory (useful when being used as a subproject)
• -Dtests=false disables unit tests

Bug fixes:

• Add --add-seccomp-fd to shell completions
• Document --add-seccomp-fd, --json-status-fd and --share-net in the man page
• Add attributes to silence various compiler warnings
• Allow compilation of tests with musl on mips architectures
• Allow compilation with older glibc
• Disable sanitizers for a test helper whose seccomp profile breaks the instrumentation
• Disable AddressSanitizer leak detection where it interferes with unit testing

$ sha256sum -b bubblewrap-0.6.2.tar.xz
8a0ec802d1b3e956c5bb0a40a81c9ce0b055a31bf30a8efa547433603b8af20b *bubblewrap-0.6.2.tar.xz

0.6.1

• Fix bwrap --version when built with Meson (#477)
• Don't install zsh completion as executable when built with Meson

$ sha256sum -b bubblewrap-0.6.1.tar.xz
9609c7dc162bc68abc29abfab566934fdca37520a15ed01b675adcf3a4303282 *bubblewrap-0.6.1.tar.xz

0.6.0

New features:

• New --add-seccomp option can be used to add more than one seccomp program (#453)
• Add a warning when repeating options where only the last one will be used, in particular --seccomp (#454)
• Add a Meson build system. (#432)
  • This can be used as a subproject by larger Meson projects. When used as a subproject, the -Dprogram_prefix option is required: see tests/use-as-subproject/ for an example.
  • There is no equivalent of the --with-priv-mode=setuid option in this build system. Distributions that still require a setuid bubblewrap executable will need to chown and chmod the executable appropriately as a separate step in their packaging.
  • The Autotools build system is still supported in this release, but might be removed in a future release if the Meson build system is sufficiently successful.

Bug fixes:

• Invoke bash via PATH for better compatibility with non-FHS operating systems
• Exit early when argc == 0, to harden against the equivalent of CVE-2021-4034 (this is not a security issue in our case)

Other changes:

• The default branch is now named main
• Partial REUSE support (add SPDX-License-Identifier to many source files)
• Remove old CI integration

$ sha256sum -b bubblewrap-0.6.0.tar.xz
11393cf2058f22e6a6c6e9cca3c85ff4c4239806cb28fee657c62a544df35693 *bubblewrap-0.6.0.tar.xz

Release 0.5.0

New features:

• --chmod changes permissions
• --clearenv unsets every environment variable (except PWD)
• --perms sets permissions for one subsequent --bind-data, --dir, --file, --ro-bind-data or --tmpfs

Other enhancements:

• Better diagnostics when a --bind or other bind-mount fails
• zsh tab-completion
• Better test coverage

Bug fixes:

• Use Python 3 for tests and examples
• Mount points for non-directories are created with permissions -r--r--r-- instead of -rw-rw-rw-
• Don't remount items in /proc read-only if already EROFS, required to run under Docker
• Allow mounting an non-directory over an existing non-directory, e.g. --bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log
• Silence kernel messages for our bind-mounts
• Make sure pkg-config is checked for, regardless of build options
• Improve ability to bind-mount directories on case-insensitive filesystems
• Fix -Wshadow warnings
• Fix deprecation warnings with newer SELinux

$ sha256sum -b bubblewrap-0.5.0.tar.xz
16fdaf33799d63104e347e0133f909196fe90d0c50515d010bcb422eb5a00818 *bubblewrap-0.5.0.tar.xz

Release 0.4.1

This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups
bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only
if installed setuid while at the same time the kernel supports unprivileged user namespaces.
More details in the advisory here:

GHSA-j2qp-rvxj-43vj

Additionally there are some minor changes:

• Always clear the capability bounding set (cosmetic issue)
• Make the tests work with libcap >= 2.29
• Properly report child exit status in some cases

Alexander Larsson (9):
Ensure we're always clearing the cap bounding set
Don't rely on geteuid() to know when to switch back from setuid root
Don't support --userns2 in setuid mode
drop_privs: More explicit argument name

Christian Kastner (1):
tests: Update output patterns for libcap >= 2.29

Jean-Baptiste BESNARD (1):
retcode: fix return code with syncfd and no event_fd

TomSweeneyRedHat (1):
Add Code of Conduct

Release 0.4.0

The biggest feature in this release is the support for joining
existing user and pid namespaces. This doesn't work in the setuid
mode (at the moment).

Other changes:

• Stores namespace info in status json
• In setuid mode pid 1 is now marked dumpable
• Now builds with musl libc

Alexander Larsson (17):
      Tests: Fix test count
      setuid mode: Properly drop privs in monitor and pid1
      Mark init process as dumpable so we can see stuff in its /proc
      Add support for --userns and --userns2
      tests: test --userns
      utils: Add some utility function to pass pids over a socket
      utils: Add fork_intermediate_child() helper
      Add support for --pidns
      Add tests for --pidns
      tests: Better error message if assert_files_equal fails
      Fix typo in comment
      Drop cap bounding set also in --userns case
      Allow --uid and --gid with --userns
      tests: Fix --userns tests
      --userns --uid: Only swtich user if needed
      Merge pull request #338 from containers/reuse-namespaces
      Bump 0.4.0

Christian Kellner (3):
      bwrap: set opt_unshare_cgroup when _try succeeds
      bwrap: include the pid namespace id in status/json
      tests: check namespace info in json

Colin Walters (1):
      Post-release version bump

Jonathan Lebon (1):
      ci: Bump to fedora/29/atomic

shawrkbait (1):
      Add work-around for TEMP_FAILURE_RETRY to support musl

Git-EVTag-v0-SHA512: d3f07f58b50c579b27470722edfc87b741465ca37ff4d40c9f715d610a69a80a6e6035a0dee678158c1dd77edb0b06bed3ffd6393a784d4ed975c092eb151952

0.3.3

[This release is the same as 0.3.2 but the version number in configure.ac
was accidentally still set to 0.3.1)

This release fixes a mostly theoretical security issue in unusual/broken
setups where $XDG_RUNTIME_DIR is unset.

There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the bwrap exit code.

Thanks to all contributors!

Iain Lane (1):
      tests: Handle systems without merged-/usr

Jakub Wilk (2):
      Fix typos
      Print "Out of memory" on stderr, not stdout

Richard Maw (3):
      Revert "README.md: Delete cat logo picture (not DFSG compliant)"
      bwrap: add option json-status-fd to show child exit code
      bwrap: Report COMMAND exit code in json-status-fd

Simon McVittie (3):
      man page: Describe --chdir, not nonexistent --cwd
      Don't create our own temporary mount point for pivot_root
      tests: Ensure that tmpfs with oldroot/newroot doesn't appear in container

Timothy E Baldwin (1):
      Make lockdata long enough on 32-bit with 64-bit file pointers.

Git-EVTag-v0-SHA512: 1320cc04e853be996e6fa53fb3e472f732ac02855ab05984fa3350aed1d8760fc3b9eac0e6af06843a1f6265afe424e042c937d64606ef2eb29ec53a3539c217