Package Details: bubblewrap-git v0.3.1.r6.g94147e2-1

Git Clone URL: https://aur.archlinux.org/bubblewrap-git.git (read-only, click to copy)
Package Base: bubblewrap-git
Description: Unprivileged sandboxing tool
Upstream URL: https://github.com/projectatomic/bubblewrap
Keywords: containers sandbox
Licenses: LGPL
Conflicts: bubblewrap
Provides: bubblewrap
Submitter: aperez
Maintainer: aperez
Last Packager: aperez
Votes: 4
Popularity: 0.000000
First Submitted: 2016-05-08 09:52
Last Updated: 2018-12-26 18:37

Required by (11)

Sources (1)

Latest Comments

« First ‹ Previous 1 2

yawning commented on 2016-10-09 04:20

@aperez:

TLDR:
* USER_NS should use `--with-priv-mode=none`.
* Non-USER_NS should use `--with-priv-mode=caps`.

The reason why the package was broken on non-USER_NS kernels previously was because the capabilities granted in the `post_install()` were wrong/insufficient (because upstream changed the requirements), not because the binary needs to be SUID root.

USER_NS removes the need for any elevated privileges as well.

The upstream commit that broke the `post_install()` setcap directive was e0a07f4de70acb27d95bae69e27e42e5941e5873 , though as of your latest commit it's now correct.

aperez commented on 2016-09-22 09:01

@Pelzflorian: You're welcome! Let's hope USER_NS is enabled at some point in the default kernels, as more and more tools are likely to make use of it. I need it myself for Vagga, and adoption of things like Flatpak are probably going to push distributions to have the option enabled by default :-)

Pelzflorian commented on 2016-09-22 05:51

Thank you :) . Since this is an AUR package, build time checks seem OK.

aperez commented on 2016-09-22 02:18

@Pelzflorian: I have changed the PKGBUILD. If the running kernel does not have CONFIG_USER_NS enabled (user namespaces), then --with-priv-mode=setuid is passed to the configure script. Otherwise, if user namespaces are available use --with-priv-mode=caps.

Pelzflorian commented on 2016-09-19 05:14

Default Arch kernels do not support user namespaces (bug FS#36969), so on a default kernel, this should be configured with --with-priv-mode=setuid, in which case it also does not need the install file. If you want to keep using user namespaces (for non-default kernels), you or I could make a separate bubblewrap-setuid package for default kernels.