Group :: Sistema/Base
RPM: bubblewrap
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
%def_enable selinux
# "setuid" or "none"
%define priv_mode setuid
%if %priv_mode == "setuid"
%def_disable userns
%endif
Name: bubblewrap
Version: 0.7.0
Release: alt1
Summary: Unprivileged sandboxing tool
Group: System/Base
License: LGPLv2+
Url: https://github.com/projectatomic/bubblewrap
Packager: Vitaly Lipatov <lav at altlinux.ru>
# Source-url: https://github.com/projectatomic/bubblewrap/releases/download/v%version/bubblewrap-%version.tar.xz
Vcs: https://github.com/projectatomic/bubblewrap.git
Source: %name-%version.tar
#Source: https://github.com/projectatomic/%name/releases/download/v%version/%name-%version.tar.xz
Patch1: bubblewrap-fix-run-path.patch
%if %priv_mode == "none"
Requires(pre): libcap-utils
%endif
BuildRequires(pre): rpm-macros-meson
BuildRequires: meson gcc-c++ binutils-devel libelf-devel
BuildRequires: db2latex-xsl docbook-style-xsl libcap-devel xsltproc
BuildRequires: python3 bash-completion
%{?_enable_selinux:BuildRequires: libselinux-devel}
%description
Many container runtime tools like systemd-nspawn, docker, etc. focus on providing
infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers.
These tools are not suitable to give to unprivileged users,
because it is trivial to turn such access into to a fully privileged root shell on the host.
%prep
%setup
%patch1 -p1
%build
%meson \
%{?_disable_selinux:-Dselinux=disabled} \
%{?_enable_userns:-Drequire_userns=true}
%nil
%meson_build
%install
%meson_install
%if_enabled userns
mkdir -p %buildroot%_sysctldir
cat > %buildroot%_sysctldir/90-bwrap.conf << _EOF_
kernel.userns_restrict = 0
_EOF_
%endif
%if %priv_mode == "none"
%post
setcap -q "cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep" %_bindir/bwrap 2>/dev/null ||:
%endif
%files
%if %priv_mode == "setuid"
%attr(4511,root,root) %_bindir/bwrap
%else
%_bindir/bwrap
%endif
%{?_enable_userns:%_sysctldir/90-bwrap.conf}
%_man1dir/bwrap*
%_datadir/bash-completion/completions/bwrap
%_datadir/zsh/site-functions/_bwrap
%changelog
…
Todas as alterações você pod ver aqui
# "setuid" or "none"
%define priv_mode setuid
%if %priv_mode == "setuid"
%def_disable userns
%endif
Name: bubblewrap
Version: 0.7.0
Release: alt1
Summary: Unprivileged sandboxing tool
Group: System/Base
License: LGPLv2+
Url: https://github.com/projectatomic/bubblewrap
Packager: Vitaly Lipatov <lav at altlinux.ru>
# Source-url: https://github.com/projectatomic/bubblewrap/releases/download/v%version/bubblewrap-%version.tar.xz
Vcs: https://github.com/projectatomic/bubblewrap.git
Source: %name-%version.tar
#Source: https://github.com/projectatomic/%name/releases/download/v%version/%name-%version.tar.xz
Patch1: bubblewrap-fix-run-path.patch
%if %priv_mode == "none"
Requires(pre): libcap-utils
%endif
BuildRequires(pre): rpm-macros-meson
BuildRequires: meson gcc-c++ binutils-devel libelf-devel
BuildRequires: db2latex-xsl docbook-style-xsl libcap-devel xsltproc
BuildRequires: python3 bash-completion
%{?_enable_selinux:BuildRequires: libselinux-devel}
%description
Many container runtime tools like systemd-nspawn, docker, etc. focus on providing
infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers.
These tools are not suitable to give to unprivileged users,
because it is trivial to turn such access into to a fully privileged root shell on the host.
%prep
%setup
%patch1 -p1
%build
%meson \
%{?_disable_selinux:-Dselinux=disabled} \
%{?_enable_userns:-Drequire_userns=true}
%nil
%meson_build
%install
%meson_install
%if_enabled userns
mkdir -p %buildroot%_sysctldir
cat > %buildroot%_sysctldir/90-bwrap.conf << _EOF_
kernel.userns_restrict = 0
_EOF_
%endif
%if %priv_mode == "none"
%post
setcap -q "cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep" %_bindir/bwrap 2>/dev/null ||:
%endif
%files
%if %priv_mode == "setuid"
%attr(4511,root,root) %_bindir/bwrap
%else
%_bindir/bwrap
%endif
%{?_enable_userns:%_sysctldir/90-bwrap.conf}
%_man1dir/bwrap*
%_datadir/bash-completion/completions/bwrap
%_datadir/zsh/site-functions/_bwrap
%changelog
…
Todas as alterações você pod ver aqui