/bubblewrap-suid-rpm

📦 bubblewrap-suid | Core execution tool for unprivileged containers (setuid variant). Contains the .spec file for bundling a setuid variant of Bubblewrap as an RPM.

GNU General Public License v3.0GPL-3.0

📦 bubblewrap-suid

This repository contains the .spec file for bundling a setuid variant of Bubblewrap as an RPM.

This allows using flatpaks on immutable OSTree distributions with user.max_user_namespaces = 0 and kernel.unprivileged_userns_clone = 0 set.

CI

Currently the Bubblewrap releases are tracked manually. The goal for this repository is for it to track automatically

Install

The following commands are needed to replace an existing bubblewrap package with bubblewrap-suid.

OSTree

Get the COPR .repo file

curl -s https://copr.fedorainfracloud.org/coprs/34n0s/bubblewrap-suid/repo/fedora-39/34n0s-bubblewrap-suid-fedora-39.repo | sudo tee /etc/yum.repos.d/34n0s-bubblewrap-suid-fedora-39.repo

Override bubblewrap (without suid) package

sudo rpm-ostree override replace --experimental --freeze --from repo='copr:copr.fedorainfracloud.org:34n0s:bubblewrap-suid' bubblewrap

DNF

Enable the COPR .repo file

sudo dnf copr enable 34n0s/bubblewrap-suid 

Override bubblewrap (without suid) package

sudo dnf swap bubblewrap bubblewrap-suid

Develop

Build locally

This has to be done on a RPM based Linux distribution and is tested on a Fedora Silverblue 39 VM.

Install required RPM build tools and dependencies:

rpm-ostree install -y rpmdevtools rpmlint docbook-style-xsl meson libcap-devel libselinux-devel gcc

Create the required file tree:

rpmdev-setuptree

Clone this repo and cd into it:

git clone https://github.com/34N0/bubblewrap-suid-rpm && cd bubblewrap-suid-rpm

Download bubblewrap source

spectool -g -R bubblewrap-suid.spec

Build the RPM from spec:

rpmbuild -ba bubblewrap-suid.spec

Test locally

Cd into the RPM folder:

cd ~/rpmbuild/RPMS/x86_64

Override the bubblewrap package:

rpm-ostree override replace bubblewrap-suid-<version>.fc39.x86_64.rpm

disabling unprivileged user namespaces

Edit the sysctl config:

sudo nano /etc/sysctl.d/99-sysctl.conf 

add the following lines:

user.max_user_namespaces = 0
kernel.unprivileged_userns_clone = 0

load the parameters:

sudo sysctl --system

reboot the VM!

Issues & Contributions

Feel free to open issues or pull requests for improvements, bug fixes. 😄 Be mindful that this repository is simply the Bubblewrap project with the SUID bit set.