package/bubblewrap: new package

Bubblewrap is a sandboxing tool based on kernel namespaces, typically
used as lower-level infastructure by other end-user tools e.g. Flatpak.

https://github.com/containers/bubblewrap

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Peter: needs mmu and !musl toolchain]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/DEVELOPERS b/DEVELOPERS
index e6c44b0671d888096b0392b36bd8fd748da625f3..a1f94df951b0682091c7951e5a3ca5348ad93f47 100644 (file)
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -81,6 +81,7 @@ F:    package/jack1/
 
 N:     Adrian Perez de Castro <aperez@igalia.com>
 F:     package/brotli/
+F:     package/bubblewrap/
 F:     package/cog/
 F:     package/libepoxy/
 F:     package/libwpe/

diff --git a/package/Config.in b/package/Config.in
index 37861387e8e49f00288494b00e1f626f9c113115..9e2b78fe6a5a687a5f2e2ca844233d538f22c812 100644 (file)
--- a/package/Config.in
+++ b/package/Config.in
@@ -2237,6 +2237,7 @@ menu "System tools"
        source "package/atop/Config.in"
        source "package/attr/Config.in"
        source "package/audit/Config.in"
+       source "package/bubblewrap/Config.in"
        source "package/cgroupfs-mount/Config.in"
        source "package/circus/Config.in"
        source "package/coreutils/Config.in"

diff --git a/package/bubblewrap/Config.in b/package/bubblewrap/Config.in
new file mode 100644 (file)
index 0000000..b83f046
--- /dev/null
+++ b/package/bubblewrap/Config.in
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_BUBBLEWRAP
+       bool "bubblewrap"
+       depends on BR2_TOOLCHAIN_USES_UCLIBC || BR2_TOOLCHAIN_USES_GLIBC # TEMP_FAILURE_RETRY
+       depends on BR2_USE_MMU # fork()
+       select BR2_PACKAGE_LIBCAP
+       help
+         Unprivileged sandbox tool based on Linux namespaces.
+
+         https://github.com/projectatomic/bubblewrap
+
+comment "bubblewrap needs a glibc or uclibc toolchain"
+       depends on !(BR2_TOOLCHAIN_USES_UCLIBC || BR2_TOOLCHAIN_USES_GLIBC)
+       depends on BR2_USE_MMU

diff --git a/package/bubblewrap/bubblewrap.hash b/package/bubblewrap/bubblewrap.hash
new file mode 100644 (file)
index 0000000..c8177d0
--- /dev/null
+++ b/package/bubblewrap/bubblewrap.hash
@@ -0,0 +1,5 @@
+# Locally computed:
+sha256 c6a45f51794a908b76833b132471397a7413f07620af08e76c273d9f7b364dff bubblewrap-0.3.3.tar.xz
+
+# Hash for license files:
+sha256 b7993225104d90ddd8024fd838faf300bea5e83d91203eab98e29512acebd69c COPYING

diff --git a/package/bubblewrap/bubblewrap.mk b/package/bubblewrap/bubblewrap.mk
new file mode 100644 (file)
index 0000000..83bbb1b
--- /dev/null
+++ b/package/bubblewrap/bubblewrap.mk
@@ -0,0 +1,40 @@
+################################################################################
+#
+# bubblewrap
+#
+################################################################################
+
+BUBBLEWRAP_VERSION = 0.3.3
+BUBBLEWRAP_SITE = https://github.com/containers/bubblewrap/releases/download/v$(BUBBLEWRAP_VERSION)
+BUBBLEWRAP_SOURCE = bubblewrap-$(BUBBLEWRAP_VERSION).tar.xz
+BUBBLEWRAP_DEPENDENCIES = host-pkgconf libcap
+
+BUBBLEWRAP_LICENSE = LGPL-2.0+
+BUBBLEWRAP_LICENSE_FILES = COPYING
+
+BUBBLEWRAP_CONF_OPTS = \
+       --enable-require-userns=no \
+       --disable-man \
+       --disable-sudo \
+       --with-priv-mode=none
+
+ifeq ($(BR2_PACKAGE_BASH_COMPLETION),y)
+BUBBLEWRAP_CONF_OPTS += --with-bash-completion-dir=/usr/share/bash-completion/completions
+else
+BUBBLEWRAP_CONF_OPTS += --without-bash-completion-dir
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+BUBBLEWRAP_CONF_OPTS += --enable-selinux
+BUBBLEWRAP_DEPENDENCIES += libselinux
+else
+BUBBLEWRAP_CONF_OPTS += --disable-selinux
+endif
+
+# We need to mark bwrap as setuid, in case the kernel
+# has user namespaces disabled for non-root users.
+define BUBBLEWRAP_PERMISSIONS
+       /usr/bin/bwrap f 1755 0 0 - - - - -
+endef
+
+$(eval $(autotools-package))