feat: update bubblewrap to 0.11.0-2+deb13u1

NEWS.md

@@ -0,0 +1,51 @@
+bubblewrap 0.11.0
+=================
+
+Released: 2024-10-30
+
+Dependencies:
+
+  * Remove the Autotools build system. Meson ≥ 0.49.0 is now required
+    at build-time. (#625, Hugo Osvaldo Barrera)
+
+  * For users of bash-completion, bash-completion ≥ 2.10 is recommended.
+    With older bash-completion, bubblewrap might install completions
+    outside its `${prefix}` unless overridden with `-Dbash_completion_dir=…`.
+
+Enhancements:
+
+  * New `--overlay`, `--tmp-overlay`, `--ro-overlay` and `--overlay-src`
+    options allow creation of overlay mounts.
+    This feature is not available when bubblewrap is installed setuid.
+    (#412, #663; Ryan Hendrickson, William Manley, Simon McVittie)
+
+  * New `--level-prefix` option produces output that can be parsed by
+    tools like `logger --prio-prefix` and `systemd-cat --level-prefix=1`
+    (#646, Simon McVittie)
+
+Bug fixes:
+
+  * Handle `EINTR` when doing I/O on files or sockets (#657, Simon McVittie)
+
+  * Don't make assumptions about alignment of socket control message data
+    (#637, Simon McVittie)
+
+  * Silence some Meson deprecation warnings (#647, @Sertonix)
+
+  * Update URLs in documentation to https (#566, @TotalCaesar659)
+
+  * Improve tests' compatibility with busybox (#627, @Sertonix)
+
+  * Improve compatibility with Meson < 1.3.0 (#664, Simon McVittie)
+
+Internal changes:
+
+  * Consistently use `<stdbool.h>` for booleans (#660, Simon McVittie)
+
+  * Avoid `-Wshadow` compiler warnings (#661, Simon McVittie)
+
+  * Update Github Actions configuration (#658, Simon McVittie)
+
+----
+
+See also <https://github.com/containers/bubblewrap/releases>

README.md

@@ -77,7 +77,7 @@ Users
 This program can be shared by all container tools which perform
 non-root operation, such as:
 
- - [Flatpak](http://www.flatpak.org)
+ - [Flatpak](https://www.flatpak.org)
  - [rpm-ostree unprivileged](https://github.com/projectatomic/rpm-ostree/pull/209)
  - [bwrap-oci](https://github.com/projectatomic/bwrap-oci)
 
@@ -92,25 +92,15 @@ Installation
 bubblewrap is available in the package repositories of the most Linux distributions
 and can be installed from there.
 
-If you need to build bubblewrap from source, you can do this with meson or autotools.
+If you need to build bubblewrap from source, you can do this with meson:
 
-meson:
-
-```
+```sh
 meson _builddir
 meson compile -C _builddir
 meson test -C _builddir
 meson install -C _builddir
 ```
 
-autotools:
-
-```
-./autogen.sh
-make
-sudo make install
-```
-
 Usage
 -----
 
@@ -155,18 +145,18 @@ Any such directories you specify mounted `nodev` by default, and can be made rea
 
 Additionally you can use these kernel features:
 
-User namespaces ([CLONE_NEWUSER](http://linux.die.net/man/2/clone)): This hides all but the current uid and gid from the
+User namespaces ([CLONE_NEWUSER](https://linux.die.net/man/2/clone)): This hides all but the current uid and gid from the
 sandbox. You can also change what the value of uid/gid should be in the sandbox.
 
-IPC namespaces ([CLONE_NEWIPC](http://linux.die.net/man/2/clone)): The sandbox will get its own copy of all the
+IPC namespaces ([CLONE_NEWIPC](https://linux.die.net/man/2/clone)): The sandbox will get its own copy of all the
 different forms of IPCs, like SysV shared memory and semaphores.
 
-PID namespaces ([CLONE_NEWPID](http://linux.die.net/man/2/clone)): The sandbox will not see any processes outside the sandbox. Additionally, bubblewrap will run a trivial pid1 inside your container to handle the requirements of reaping children in the sandbox. This avoids what is known now as the [Docker pid 1 problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/).
+PID namespaces ([CLONE_NEWPID](https://linux.die.net/man/2/clone)): The sandbox will not see any processes outside the sandbox. Additionally, bubblewrap will run a trivial pid1 inside your container to handle the requirements of reaping children in the sandbox. This avoids what is known now as the [Docker pid 1 problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/).
 
 
-Network namespaces ([CLONE_NEWNET](http://linux.die.net/man/2/clone)): The sandbox will not see the network. Instead it will have its own network namespace with only a loopback device.
+Network namespaces ([CLONE_NEWNET](https://linux.die.net/man/2/clone)): The sandbox will not see the network. Instead it will have its own network namespace with only a loopback device.
 
-UTS namespace ([CLONE_NEWUTS](http://linux.die.net/man/2/clone)): The sandbox will have its own hostname.
+UTS namespace ([CLONE_NEWUTS](https://linux.die.net/man/2/clone)): The sandbox will have its own hostname.
 
 Seccomp filters: You can pass in seccomp filters that limit which syscalls can be done in the sandbox. For more information, see [Seccomp](https://en.wikipedia.org/wiki/Seccomp).
 

bind-mount.c

@@ -76,7 +76,7 @@ match_token (const char *token, const char *token_end, const char *str)
   if (token == token_end)
     return *str == 0;
 
-  return FALSE;
+  return false;
 }
 
 static unsigned long
@@ -281,12 +281,12 @@ parse_mountinfo (int  proc_fd,
         die ("Can't parse mountinfo line");
       rest = line + consumed;
 
-      rest = skip_token (rest, TRUE); /* mountroot */
+      rest = skip_token (rest, true); /* mountroot */
       mountpoint = rest;
-      rest = skip_token (rest, FALSE); /* mountpoint */
+      rest = skip_token (rest, false); /* mountpoint */
       mountpoint_end = rest++;
       options = rest;
-      rest = skip_token (rest, FALSE); /* vfs options */
+      rest = skip_token (rest, false); /* vfs options */
       options_end = rest;
 
       *mountpoint_end = 0;
@@ -324,7 +324,7 @@ parse_mountinfo (int  proc_fd,
       MountInfoLine *parent = by_id[this->parent_id];
       MountInfoLine **to_sibling;
       MountInfoLine *sibling;
-      bool covered = FALSE;
+      bool covered = false;
 
       if (!has_path_prefix (this->mountpoint, root_mount))
         continue;
@@ -333,7 +333,7 @@ parse_mountinfo (int  proc_fd,
         continue;
 
       if (strcmp (parent->mountpoint, this->mountpoint) == 0)
-        parent->covered = TRUE;
+        parent->covered = true;
 
       to_sibling = &parent->first_child;
       sibling = parent->first_child;
@@ -344,7 +344,7 @@ parse_mountinfo (int  proc_fd,
            * covered by the sibling, and we drop it. */
           if (has_path_prefix (this->mountpoint, sibling->mountpoint))
             {
-              covered = TRUE;
+              covered = true;
               break;
             }
 
@@ -405,7 +405,7 @@ bind_mount (int           proc_fd,
   if (resolved_dest == NULL)
     return BIND_MOUNT_ERROR_REALPATH_DEST;
 
-  dest_fd = open (resolved_dest, O_PATH | O_CLOEXEC);
+  dest_fd = TEMP_FAILURE_RETRY (open (resolved_dest, O_PATH | O_CLOEXEC));
   if (dest_fd < 0)
     {
       if (failing_path != NULL)
@@ -499,7 +499,7 @@ bind_mount_result_to_string (bind_mount_result res,
                              bool *want_errno_p)
 {
   char *string = NULL;
-  bool want_errno = TRUE;
+  bool want_errno = true;
 
   switch (res)
     {
@@ -521,7 +521,7 @@ bind_mount_result_to_string (bind_mount_result res,
 
       case BIND_MOUNT_ERROR_FIND_DEST_MOUNT:
         string = xasprintf ("Unable to find \"%s\" in mount table", failing_path);
-        want_errno = FALSE;
+        want_errno = false;
         break;
 
       case BIND_MOUNT_ERROR_REMOUNT_DEST:
@@ -557,9 +557,12 @@ die_with_bind_result (bind_mount_result res,
                       ...)
 {
   va_list args;
-  bool want_errno = TRUE;
+  bool want_errno = true;
   char *message;
 
+  if (bwrap_level_prefix)
+    fprintf (stderr, "<%d>", LOG_ERR);
+
   fprintf (stderr, "bwrap: ");
 
   va_start (args, format);