From a4727ea83d5c028b55cb9932605771ccfbbcc35d Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Wed, 13 Nov 2024 16:03:41 +0300
Subject: [PATCH] import bubblewrap-0.4.1-8.el9_5

---
 ...OFS-for-access-check-of-proc-entries.patch | 26 ++++++++++++++
 ...o-bind-fd-to-let-you-bind-a-O_PATH-.patch} | 34 ++++++++++++-------
 SPECS/bubblewrap.spec                         | 12 ++++---
 3 files changed, 55 insertions(+), 17 deletions(-)
 create mode 100644 SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch
 rename SOURCES/{0001-0.4.0-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O.patch => 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch} (84%)

diff --git a/SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch b/SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch
new file mode 100644
index 0000000..871ffdf
--- /dev/null
+++ b/SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch
@@ -0,0 +1,26 @@
+From 4c35d7a5f92499d6ed646d4a5ffad9acc10cb432 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=BCrg=20Billeter?= <j@bitron.ch>
+Date: Tue, 18 Aug 2020 17:33:49 +0200
+Subject: [PATCH] Accept EROFS for access() check of /proc entries
+
+This is required to work in a Docker container.
+---
+ bubblewrap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index e1a4629..d65ffef 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -1148,7 +1148,7 @@ setup_newroot (bool unshare_pid,
+               if (access (subdir, W_OK) < 0)
+                 {
+                   /* The file is already read-only or doesn't exist.  */
+-                  if (errno == EACCES || errno == ENOENT)
++                  if (errno == EACCES || errno == ENOENT || errno == EROFS)
+                     continue;
+ 
+                   die_with_error ("Can't access %s", subdir);
+-- 
+2.44.0
+
diff --git a/SOURCES/0001-0.4.0-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O.patch b/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
similarity index 84%
rename from SOURCES/0001-0.4.0-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O.patch
rename to SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
index 0a28038..979ff51 100644
--- a/SOURCES/0001-0.4.0-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O.patch
+++ b/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
@@ -1,8 +1,7 @@
-From 10e62a964d465884b972571b258042493259b00b Mon Sep 17 00:00:00 2001
+From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001
 From: Alexander Larsson <alexl@redhat.com>
 Date: Tue, 18 Jun 2024 10:20:36 +0200
-Subject: [PATCH] [0.4.0] Add --bind-fd and --ro-bind-fd to let you bind a
- O_PATH fd.
+Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd.
 
 This is useful for example if you for some reason don't have the real
 path. It is also a way to make bind-mounts race-free (i.e. to have the
@@ -16,17 +15,17 @@ permitted, but at least we can delay resolving the fd to a path as much as
 possible, and then validate after mount that we actually mounted the right
 thing.
 
-[@kolyshkin: backport commit a253257cd298892 to v0.4.0]
-
 Signed-off-by: Alexander Larsson <alexl@redhat.com>
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5)
+[kalev: Backport to 0.4.x]
+Signed-off-by: Kalev Lember <klember@redhat.com>
 ---
  bubblewrap.c      | 50 +++++++++++++++++++++++++++++++++++++++++++++++
- tests/test-run.sh |  5 +++++
- 2 files changed, 55 insertions(+)
+ tests/test-run.sh |  7 ++++++-
+ 2 files changed, 56 insertions(+), 1 deletion(-)
 
 diff --git a/bubblewrap.c b/bubblewrap.c
-index 8d0c5f7..209c1a5 100644
+index b3d52bc..38b3646 100644
 --- a/bubblewrap.c
 +++ b/bubblewrap.c
 @@ -250,6 +250,8 @@ usage (int ecode, FILE *out)
@@ -38,7 +37,7 @@ index 8d0c5f7..209c1a5 100644
             "    --remount-ro DEST            Remount DEST as readonly; does not recursively remount\n"
             "    --exec-label LABEL           Exec label for the sandbox\n"
             "    --file-label LABEL           File label for temporary sandbox content\n"
-@@ -1106,6 +1108,30 @@ setup_newroot (bool unshare_pid,
+@@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid,
                           (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) |
                           (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0),
                           source, dest);
@@ -69,7 +68,7 @@ index 8d0c5f7..209c1a5 100644
            break;
  
          case SETUP_REMOUNT_RO_NO_RECURSIVE:
-@@ -1643,6 +1669,30 @@ parse_args_recurse (int          *argcp,
+@@ -1648,6 +1674,30 @@ parse_args_recurse (int          *argcp,
            if (strcmp(arg, "--dev-bind-try") == 0)
              op->flags = ALLOW_NOTEXIST;
  
@@ -101,10 +100,19 @@ index 8d0c5f7..209c1a5 100644
            argc -= 2;
          }
 diff --git a/tests/test-run.sh b/tests/test-run.sh
-index a01f41c..345db46 100755
+index 702c480..ce1eaf6 100755
 --- a/tests/test-run.sh
 +++ b/tests/test-run.sh
-@@ -375,5 +375,10 @@ else
+@@ -80,7 +80,7 @@ if ! $RUN true; then
+     skip Seems like bwrap is not working at all. Maybe setuid is not working
+ fi
+ 
+-echo "1..49"
++echo "1..50"
+ 
+ # Test help
+ ${BWRAP} --help > help.txt
+@@ -382,5 +382,10 @@ else
      echo "ok - Test --pidns"
  fi
  
diff --git a/SPECS/bubblewrap.spec b/SPECS/bubblewrap.spec
index 6ce06c3..362fc15 100644
--- a/SPECS/bubblewrap.spec
+++ b/SPECS/bubblewrap.spec
@@ -1,6 +1,6 @@
 Name: bubblewrap
 Version: 0.4.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: Core execution tool for unprivileged containers
 
 License: LGPLv2+
@@ -8,7 +8,8 @@ License: LGPLv2+
 URL: https://github.com/projectatomic/bubblewrap
 Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
 Patch0: 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch
-Patch1: 0001-0.4.0-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O.patch
+Patch1: 0001-Accept-EROFS-for-access-check-of-proc-entries.patch
+Patch2: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
 
 BuildRequires: autoconf automake libtool
 BuildRequires: gcc
@@ -48,8 +49,11 @@ find %{buildroot} -name '*.la' -delete -print
 %{_mandir}/man1/*
 
 %changelog
-* Wed Aug 28 2024 Kir Kolyshkin <kolyshkin@gmail.com> - 0.4.1-7
-- Add support for --bind-fd and --ro-bind-fd (CVE-2024-42472)
+* Fri Aug 30 2024 Kalev Lember <klember@redhat.com> - 0.4.1-8
+- Backport upstream fix to help address CVE-2024-42472 in flatpak
+
+* Fri Mar 15 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 0.4.1-7
+- Backport https://github.com/containers/bubblewrap/commit/4c35d7a5f92499d6ed646d4a5ffad9acc10cb432
 
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.1-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags