Ubuntu
bubblewrap package

[SRU] bubblewrap unavailable on xenial

  1. Xenial (16.04)
  2. Bug #1649330
Bug #1649330 reported by William Hua
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bubblewrap (Ubuntu)
Fix Released
Low
Unassigned
Xenial
In Progress
Low
Unassigned

Bug Description

[Impact]

I'm writing a snapcraft plugin that uses bubblewrap for sandboxing purposes, but since bubblewrap isn't available on xenial while snapcraft is, it's currently blocked from landing.

Besides that, bubblewrap is a generally useful tool for running commands in a sandbox, similar to a chroot, but can be run by an unprivileged user, or like lxc, but more lightweight.

Bubblewrap is also needed to provide Flatpak on Ubuntu 16.04 LTS. Since one major benefit of Flatpak is running newer apps on stable releases, it's really beneficial to have Flatpak available on the latest Ubuntu LTS.

[Test Case]

Type bwrap in a xenial terminal. The command isn't found.

[Regression Potential]

This package is already available in yakkety and zesty, and it depends only on libc6 and libselinux1. It contains no services.

The bwrap binary is setuid root.

This is a new package for 16.04 and should not negatively affect any other Ubuntu package.

[Other Info]

From the project page:

"The maintainers of this tool believe that it does not, even when used in combination with typical software installed on that distribution, allow privilege escalation. It may increase the ability of a logged in user to perform denial of service attacks, however.

In particular, bubblewrap uses PR_SET_NO_NEW_PRIVS to turn off setuid binaries, which is the traditional way to get out of things like chroots."

Since snapd was backported to trusty-updates and not trusty-backports, we'd like to do the same (xenial-updates not xenial-backports) with the Flatpak stack. (LP: #1656712)

See original description
Tags: xenial
Revision history for this message
William Hua (attente) wrote :

I tested it from the PPA here [1], in a Xenial VM. It's just a copy of what's currently in zesty archive, with an extra changelog entry for the xenial release. I'd prefer if we could just copy the package in zesty directly as it doesn't have release info in the changelog.

[1] https://launchpad.net/~attente/+archive/ubuntu/test?field.series_filter=xenial

I tested it with:

bwrap --dev-bind / / --dev-bind ~ /snap bash

and then...

ls /snap
touch /snap/whatever
exit

then...

ls ~

Revision history for this message
William Hua (attente) wrote :

It's a copy of *yakkety*'s archive now...

Jeremy Bícha (jbicha)
Changed in bubblewrap (Ubuntu):
status: New → Fix Released
Changed in bubblewrap (Ubuntu Xenial):
status: New → In Progress
importance: Undecided → Low
Changed in bubblewrap (Ubuntu):
importance: Undecided → Low
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Thanks! Uploaded to xenial's new queue.

Do you want this uploaded to trusty also? Flatpak is not easily backportable to trusty so it's not needed for Flatpak, but since snapd is now supported on trusty...?

description: updated
description: updated
tags: added: xenial
Revision history for this message
William Hua (attente) wrote :

Thanks for looking at this and the CVE, Jeremy!

Is SRU'ing this back to trusty difficult? The only reason I would want bubblewrap there is if snapcraft itself is also actively being SRU'd back to trusty.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

No, it's not more difficult to backport to trusty. It just needs someone to want it there and be able to verify the SRU. But if you only currently wanted it for snapcraft, snapcraft is currently xenial and above. (snapd is trusty and above). Anyway, uploading now to xenial's new queue.

Jeremy Bícha (jbicha)
description: updated
Revision history for this message
William Hua (attente) wrote :

Ok, thanks! I don't need it for trusty then.

Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Setting to Incomplete while we wait for the yakkety security update.

Changed in bubblewrap (Ubuntu Xenial):
status: In Progress → Incomplete
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Ok, the yakkety security update is finished so I uploaded 0.1.7 to the xenial new queue.

Changed in bubblewrap (Ubuntu Xenial):
status: Incomplete → In Progress
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of bubblewrap to xenial-proposed has been rejected from the upload queue for the following reason: "package was stuck in the NEW queue for several years, never reviewed, xenial reaching the end of standard support.".

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.