secureblue/bubblewrap-suid
Project ID: 108482
Description
📦 bubblewrap-suid
This repository contains the .spec file for bundling a setuid variant of Bubblewrap as an RPM.
ONLY USE IF YOU HAVE: user.max_user_namespaces = 0
and kernel.unprivileged_userns_clone = 0
set.
CI
Currently the Bubblewrap releases are tracked manually. The goal for this repository is for it to track automatically
Install
Get the COPR .repo
file
curl -s https://copr.fedorainfracloud.org/coprs/secureblue/bubblewrap-suid/repo/fedora-39/secureblue-bubblewrap-suid-fedora-39.repo | sudo tee /etc/yum.repos.d/secureblue-bubblewrap-suid-fedora-39.repo
Override bubblewrap
(without suid) package
sudo rpm-ostree override replace --experimental --freeze --from repo='copr:copr.fedorainfracloud.org:secureblue:bubblewrap-suid' bubblewrap-suid
Develop
Build locally
This has to be done on a RPM based Linux distribution and is tested on a Fedora Silverblue 39 VM.
Install required RPM build tools and dependencies:
rpm-ostree install -y rpmdevtools rpmlint docbook-style-xsl meson libcap-devel libselinux-devel gcc
Create the required file tree:
rpmdev-setuptree
Clone this repo and cd into it:
git clone https://github.com/34N0/bubblewrap-suid-rpm && cd bubblewrap-suid-rpm
Download bubblewrap source
spectool -g -R bubblewrap-suid.spec
Build the RPM from spec:
rpmbuild -ba bubblewrap-suid.spec
Test locally
Cd into the RPM folder:
cd ~/rpmbuild/RPMS/x86_64
Override the bubblewrap package:
rpm-ostree override replace bubblewrap-suid-<version>.fc39.x86_64.rpm
disabling unprivileged user namespaces
Edit the sysctl config:
sudo nano /etc/sysctl.d/99-sysctl.conf
add the following lines:
user.max_user_namespaces = 0
kernel.unprivileged_userns_clone = 0
load the parameters:
sudo sysctl --system
reboot the VM!
Issues & Contributions
Feel free to open issues or pull requests for improvements, bug fixes. 😄 Be mindful that this repository is simply the Bubblewrap project with the SUID bit set.
Installation Instructions
Instructions not filled in by author. Author knows what to do. Everybody else should avoid this repo.
Active Releases
The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).
Release | Architectures | Repo Download |
---|---|---|
Fedora 38 | x86_64 (141)* | Fedora 38 (16 downloads) |
Fedora 39 | x86_64 (1031)* | Fedora 39 (197 downloads) |
* Total number of downloaded packages.