1. Home
  2. secureblue
  3. bubblewrap-suid
  4. Overview
  • 0

secureblue/bubblewrap-suid

Project ID: 108482

Description

📦 bubblewrap-suid

This repository contains the .spec file for bundling a setuid variant of Bubblewrap as an RPM.

ONLY USE IF YOU HAVE: user.max_user_namespaces = 0 and kernel.unprivileged_userns_clone = 0 set.

CI

Currently the Bubblewrap releases are tracked manually. The goal for this repository is for it to track automatically

Install

Get the COPR .repo file

curl -s https://copr.fedorainfracloud.org/coprs/secureblue/bubblewrap-suid/repo/fedora-39/secureblue-bubblewrap-suid-fedora-39.repo | sudo tee /etc/yum.repos.d/secureblue-bubblewrap-suid-fedora-39.repo

Override bubblewrap (without suid) package

sudo rpm-ostree override replace --experimental --freeze --from repo='copr:copr.fedorainfracloud.org:secureblue:bubblewrap-suid' bubblewrap-suid

Develop

Build locally

This has to be done on a RPM based Linux distribution and is tested on a Fedora Silverblue 39 VM.

Install required RPM build tools and dependencies:

rpm-ostree install -y rpmdevtools rpmlint docbook-style-xsl meson libcap-devel libselinux-devel gcc

Create the required file tree:

rpmdev-setuptree

Clone this repo and cd into it:

git clone https://github.com/34N0/bubblewrap-suid-rpm && cd bubblewrap-suid-rpm

Download bubblewrap source

spectool -g -R bubblewrap-suid.spec

Build the RPM from spec:

rpmbuild -ba bubblewrap-suid.spec

Test locally

Cd into the RPM folder:

cd ~/rpmbuild/RPMS/x86_64

Override the bubblewrap package:

rpm-ostree override replace bubblewrap-suid-<version>.fc39.x86_64.rpm

disabling unprivileged user namespaces

Edit the sysctl config:

sudo nano /etc/sysctl.d/99-sysctl.conf

add the following lines:

user.max_user_namespaces = 0
kernel.unprivileged_userns_clone = 0

load the parameters:

sudo sysctl --system

reboot the VM!

Issues & Contributions

Feel free to open issues or pull requests for improvements, bug fixes. 😄 Be mindful that this repository is simply the Bubblewrap project with the SUID bit set.

Installation Instructions

Instructions not filled in by author. Author knows what to do. Everybody else should avoid this repo.

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 38 x86_64 (141)* Fedora 38 (16 downloads)
Fedora 39 x86_64 (1031)* Fedora 39 (197 downloads)

* Total number of downloaded packages.


Last Build

bubblewrap-suid

Build: 6700141

State: succeeded

Finished: 5 months ago

Quick Enable

#> dnf copr enable secureblue/bubblewrap-suid
More info about enabling Copr repositories

Other Actions

Report Abuse