secureblue/bubblewrap-suid

Team Workflows Projects in Copr
1

Description

📦 bubblewrap-suid

This repository contains the .spec file for bundling a setuid variant of Bubblewrap as an RPM.

This allows using flatpaks on immutable OSTree distributions with user.max_user_namespaces = 0 and kernel.unprivileged_userns_clone = 0 set.

CI

Currently the Bubblewrap releases are tracked manually. The goal for this repository is for it to track automatically

Install

Get the COPR .repo file

curl -s https://copr.fedorainfracloud.org/coprs/34n0s/bubblewrap-suid/repo/fedora-39/34n0s-bubblewrap-suid-fedora-39.repo | sudo tee /etc/yum.repos.d/34n0s-bubblewrap-suid-fedora-39.repo

Override bubblewrap (without suid) package

sudo rpm-ostree override replace --experimental --freeze --from repo='copr:copr.fedorainfracloud.org:34n0s:bubblewrap-suid' bubblewrap-suid

Develop

Build locally

This has to be done on a RPM based Linux distribution and is tested on a Fedora Silverblue 39 VM.

Install required RPM build tools and dependencies:

rpm-ostree install -y rpmdevtools rpmlint docbook-style-xsl meson libcap-devel libselinux-devel gcc

Create the required file tree:

rpmdev-setuptree

Clone this repo and cd into it:

git clone https://github.com/34N0/bubblewrap-suid-rpm && cd bubblewrap-suid-rpm

Download bubblewrap source

spectool -g -R bubblewrap-suid.spec

Build the RPM from spec:

rpmbuild -ba bubblewrap-suid.spec

Test locally

Cd into the RPM folder:

cd ~/rpmbuild/RPMS/x86_64

Override the bubblewrap package:

rpm-ostree override replace bubblewrap-suid-<version>.fc39.x86_64.rpm

disabling unprivileged user namespaces

Edit the sysctl config:

sudo nano /etc/sysctl.d/99-sysctl.conf

add the following lines:

user.max_user_namespaces = 0
kernel.unprivileged_userns_clone = 0

load the parameters:

sudo sysctl --system

reboot the VM!

Issues & Contributions

Feel free to open issues or pull requests for improvements, bug fixes. 😄 Be mindful that this repository is simply the Bubblewrap project with the SUID bit set.

Installation Instructions

Instructions not filled in by author. Author knows what to do. Everybody else should avoid this repo.

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

* Total number of packages downloaded in the last seven days.

This is a companion discussion topic for the original entry at https://copr.fedorainfracloud.org/coprs/secureblue/bubblewrap-suid