0.11.0

Released: 2024-10-30

Dependencies:

• Remove the Autotools build system. Meson ≥ 0.49.0 is now required at build-time. (#625, @WhyNotHugo)

• For users of bash-completion, bash-completion ≥ 2.10 is recommended. With older bash-completion, bubblewrap might install completions outside its ${prefix} unless overridden with -Dbash_completion_dir=….

Enhancements:

• New --overlay, --tmp-overlay, --ro-overlay and --overlay-src options allow creation of overlay mounts. This feature is not available when bubblewrap is installed setuid. (#412, #663; @rhendric, @wmanley, @smcv)

• New --level-prefix option produces output that can be parsed by tools like logger --prio-prefix and systemd-cat --level-prefix=1 (#646, @smcv)

Bug fixes:

• Handle EINTR when doing I/O on files or sockets (#657, @smcv)

• Don't make assumptions about alignment of socket control message data (#637, @smcv)

• Silence some Meson deprecation warnings (#647, @sertonix)

• Update URLs in documentation to https (#566, @TotalCaesar659)

• Improve tests' compatibility with busybox (#627, @sertonix)

• Improve compatibility with Meson < 1.3.0 (#664, @smcv)

Internal changes:

• Consistently use <stdbool.h> for booleans (#660, @smcv)

• Avoid -Wshadow compiler warnings (#661, @smcv)

• Update Github Actions configuration (#658, @smcv)

988fd6b232dafa04b8b8198723efeaccdb3c6aa9c1c7936219d5791a8b7a8646 *bubblewrap-0.11.0.tar.xz

0.10.0

New features:

• Add the --[ro-]bind-fd option, which can be used to mount a filesystem represented by a file descriptor without time-of-check/time-of-use attacks. This is needed when resolving CVE-2024-42472 (GHSA-7hgv-f2j8-xw87) in Flatpak.

Other changes:

• Fix some confusing syntax in SetupOpFlag (no functional change). (#636)

0.6.3

This release is intended to be used as part of Flatpak 1.14.x. If possible, please upgrade to 0.10.0 or later instead.

• Backport the --[ro-]bind-fd option from 0.10.0. This can be used to mount a filesystem represented by a file descriptor without time-of-check/time-of-use attacks, and is needed when resolving CVE-2024-42472 (GHSA-7hgv-f2j8-xw87) in Flatpak.

d8cab8943a36cd1bc1b8c63596c6ef6b29b12883d90ed9b14a969795ac60ddef  bubblewrap-0.6.3.tar.xz

0.9.0

Build system

• Building this version of bubblewrap with Meson is recommended. The source release bubblewrap-0.9.0.tar.xz no longer contains Autotools-generated files, although this version can still be built using Autotools after running ./autogen.sh. Future versions are likely to remove the Autotools build system altogether.

New features

• Add --argv0 (#91)

Other enhancements

• --symlink is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (#549, flatpak/flatpak#2387, flatpak/flatpak#3477, flatpak/flatpak#5255)
• Clarify security considerations in documentation (#555, #560, #621)
• Clarify documentation for --cap-add (#562)
• Report a better error message if mount(2) fails with ENOSPC (#615, ValveSoftware/steam-runtime#637)
• Make it easier to add new unit tests (#420)
• Drop support for ancient Python versions in demo code

Bug fixes

• Fix a double-close on error reading from --args, --seccomp or --add-seccomp-fd argument (#558)
• Improve memory allocation behaviour (#556, #624)
• Silence various compiler warnings (#559)
• Silence an Automake warning (#622)
• Fix a test failure when running as uid 0 in a container (#488)
• Fix a test failure when /mnt is a symlink (#599)
• Fix a test failure on NixOS (#603)

c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1 *bubblewrap-0.9.0.tar.xz

0.8.0

New features:

• Add --disable-userns option to prevent the sandbox from creating its own nested user namespace (#488)
• Add --assert-userns-disabled option to check that an existing userns was created with --disable-userns (#488)
• Give a clearer error message if the kernel doesn't have CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER (#550)

Bug fixes:

• Fix test failure with recent versions of capsh (#544)
• Fix test failure since 0.7.0 when not using post-2013 GNU coreutils (#539)
• Fix test failure since 0.7.0 if bubblewrap is setuid (#539)

Known issues:

• Tests fail if run as root (#554)

$ sha256sum -b bubblewrap-0.8.0.tar.xz            
957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a *bubblewrap-0.8.0.tar.xz

v0.7.0

New features:

• --size option controls the size of a subsequent --tmpfs (#509)
• Better error messages if a mount operation fails (#472)
• Better error message if creating the new user namespace fails with ENOSPC (#487)
• When building as a Meson subproject, a RUNPATH can be set on the executable to make it easier to bundle its libcap dependency

Bug fixes:

• When building with Autotools, ensure initial setup for pkg-config is not disabled by --with-bash-completion-dir=PATH (#316, #342, #441)
• Fix test failures when running as uid 0 but with limited capabilities (#510)
• Use POSIX command -v in preference to non-standard which (#527)
• Fix a copy/paste error in --help (#531)

$ sha256sum -b bubblewrap-0.7.0.tar.xz 
764ab7100bd037ea53d440d362e099d7a425966bc62d1f00ab26b8fbb882a9dc *bubblewrap-0.7.0.tar.xz

0.6.2

New features in Meson build:

• Auto-detect whether the man page can be generated
• -Dbwrapdir=... changes the installation directory (useful when being used as a subproject)
• -Dtests=false disables unit tests

Bug fixes:

• Add --add-seccomp-fd to shell completions
• Document --add-seccomp-fd, --json-status-fd and --share-net in the man page
• Add attributes to silence various compiler warnings
• Allow compilation of tests with musl on mips architectures
• Allow compilation with older glibc
• Disable sanitizers for a test helper whose seccomp profile breaks the instrumentation
• Disable AddressSanitizer leak detection where it interferes with unit testing

$ sha256sum -b bubblewrap-0.6.2.tar.xz
8a0ec802d1b3e956c5bb0a40a81c9ce0b055a31bf30a8efa547433603b8af20b *bubblewrap-0.6.2.tar.xz

0.6.1

• Fix bwrap --version when built with Meson (#477)
• Don't install zsh completion as executable when built with Meson

$ sha256sum -b bubblewrap-0.6.1.tar.xz
9609c7dc162bc68abc29abfab566934fdca37520a15ed01b675adcf3a4303282 *bubblewrap-0.6.1.tar.xz

0.6.0

New features:

• New --add-seccomp option can be used to add more than one seccomp program (#453)
• Add a warning when repeating options where only the last one will be used, in particular --seccomp (#454)
• Add a Meson build system. (#432)
  • This can be used as a subproject by larger Meson projects. When used as a subproject, the -Dprogram_prefix option is required: see tests/use-as-subproject/ for an example.
  • There is no equivalent of the --with-priv-mode=setuid option in this build system. Distributions that still require a setuid bubblewrap executable will need to chown and chmod the executable appropriately as a separate step in their packaging.
  • The Autotools build system is still supported in this release, but might be removed in a future release if the Meson build system is sufficiently successful.

Bug fixes:

• Invoke bash via PATH for better compatibility with non-FHS operating systems
• Exit early when argc == 0, to harden against the equivalent of CVE-2021-4034 (this is not a security issue in our case)

Other changes:

• The default branch is now named main
• Partial REUSE support (add SPDX-License-Identifier to many source files)
• Remove old CI integration

$ sha256sum -b bubblewrap-0.6.0.tar.xz
11393cf2058f22e6a6c6e9cca3c85ff4c4239806cb28fee657c62a544df35693 *bubblewrap-0.6.0.tar.xz

Release 0.5.0

New features:

• --chmod changes permissions
• --clearenv unsets every environment variable (except PWD)
• --perms sets permissions for one subsequent --bind-data, --dir, --file, --ro-bind-data or --tmpfs

Other enhancements:

• Better diagnostics when a --bind or other bind-mount fails
• zsh tab-completion
• Better test coverage

Bug fixes:

• Use Python 3 for tests and examples
• Mount points for non-directories are created with permissions -r--r--r-- instead of -rw-rw-rw-
• Don't remount items in /proc read-only if already EROFS, required to run under Docker
• Allow mounting an non-directory over an existing non-directory, e.g. --bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log
• Silence kernel messages for our bind-mounts
• Make sure pkg-config is checked for, regardless of build options
• Improve ability to bind-mount directories on case-insensitive filesystems
• Fix -Wshadow warnings
• Fix deprecation warnings with newer SELinux

$ sha256sum -b bubblewrap-0.5.0.tar.xz
16fdaf33799d63104e347e0133f909196fe90d0c50515d010bcb422eb5a00818 *bubblewrap-0.5.0.tar.xz