| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| tests-Explicitly-unshare-userns-when-testing-disable-user.patch | tests: Explicitly unshare userns when testing --disable-userns If we're running the tests as uid 0 with capabilities, then bwrap will not create a new user namespace by default, which means the limit won't be exceeded and the test will fail. Make sure we always try to create the new user namespace. |
Simon McVittie <smcv@collabora.com> | yes | 2023-02-23 | ||
| tests-Try-harder-to-evade-disable-userns.patch | tests: Try harder to evade --disable-userns The worst-case scenario in terms of enforcing --disable-userns is that we're retaining all capabilities, so test that too, to make sure that the option is genuinely restricting even a privileged user. |
Simon McVittie <smcv@collabora.com> | yes | 2023-02-23 | ||
| Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-fd.patch | Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd. This is useful for example if you for some reason don't have the real path. It is also a way to make bind-mounts race-free (i.e. to have the mount actually be the thing you wanted to be mounted, avoiding issues where some other process replaces the target in parallel with the bwrap launch. Unfortunately due to some technical details we can't actually directly mount the dirfd, as they come from different user namespace which is not permitted, but at least we can delay resolving the fd to a path as much as possible, and then validate after mount that we actually mounted the right thing. [smcv: Adjust unit test for backport to 0.8.x] |
Alexander Larsson <alexl@redhat.com> | no | 2024-06-18 | ||
| debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch | Change EPERM error message to show Debian-specific information | Simon McVittie <smcv@debian.org> | not-needed | 2021-01-01 |