diff options
author | Marius Bakke <mbakke@fastmail.com> | 2018-12-11 22:18:05 +0100 |
---|---|---|
committer | Marius Bakke <mbakke@fastmail.com> | 2018-12-11 22:18:05 +0100 |
commit | b03e4fd5269897448124a7b61a737802b2c638ee (patch) | |
tree | e4eaab1d3076e335c57eea462ff7fda7919f0831 /gnu/packages/virtualization.scm | |
parent | da3c6a7f19ef1243af725f63c16c8fd92fde33b4 (diff) | |
parent | 99aad42138e0895df51e64e1261984f277952516 (diff) | |
download | guix-patches-b03e4fd5269897448124a7b61a737802b2c638ee.tar guix-patches-b03e4fd5269897448124a7b61a737802b2c638ee.tar.gz |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/virtualization.scm')
-rw-r--r-- | gnu/packages/virtualization.scm | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index e3b9925059..0502bb38c4 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -9,6 +9,7 @@ ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org> ;;; Copyright © 2018 Sou Bunnbu <iyzsong@member.fsf.org> +;;; Copyright © 2018 Julien Lepiller <julien@lepiller.eu> ;;; ;;; This file is part of GNU Guix. ;;; @@ -99,6 +100,8 @@ (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) + (patches (search-patches "qemu-CVE-2018-16847.patch" + "qemu-CVE-2018-16867.patch")) (sha256 (base32 "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld")))) @@ -998,3 +1001,58 @@ the image. @code{vagrant} command line executable, allowing programmatic control of Vagrant virtual machines.") (license license:expat))) + +(define-public bubblewrap + (package + (name "bubblewrap") + (version "0.3.1") + (source (origin + (method url-fetch) + (uri (string-append "https://github.com/projectatomic/bubblewrap/" + "releases/download/v" version "/bubblewrap-" + version ".tar.xz")) + (sha256 + (base32 + "1y2bdlxnlr84xcbf31lzirc292c5ak9bd2wvcvh4ppsliih6pjny")))) + (build-system gnu-build-system) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-after 'unpack 'fix-test + (lambda* (#:key outputs #:allow-other-keys) + ;; Tests try to access /var/tmp, which is not possible in our build + ;; environment. Let's give them another directory. + ;; /tmp gets overriden in some tests, so we need another directory. + ;; the only possibility is the output directory. + (let ((tmp-dir (string-append (assoc-ref outputs "out") "/tmp"))) + (mkdir-p tmp-dir) + (substitute* "tests/test-run.sh" + (("/var/tmp") tmp-dir) + ;; Tests create a temporary python script, so fix its shebang. + (("/usr/bin/env python") (which "python")) + ;; Some tests try to access /usr, but that doesn't exist. + ;; Give them /gnu instead. + (("/usr") "/gnu") + ((" */bin/bash") (which "bash")) + (("/bin/sh") (which "sh")) + (("findmnt") (which "findmnt")))) + #t)) + ;; Remove the directory we gave to tests to have a clean package. + (add-after 'check 'remove-tmp-dir + (lambda* (#:key outputs #:allow-other-keys) + (delete-file-recursively (string-append (assoc-ref outputs "out") "/tmp")) + #t))))) + (inputs + `(("libcap" ,libcap))) + (native-inputs + `(("python-2" ,python-2) + ("util-linux" ,util-linux))) + (home-page "https://github.com/projectatomic/bubblewrap") + (synopsis "Unprivileged sandboxing tool") + (description "Bubblewrap is aimed at running applications in a sandbox, +where it has restricted access to parts of the operating system or user data +such as the home directory. Bubblewrap always creates a new mount namespace, +and the user can specify exactly what parts of the filesystem should be visible +in the sandbox. Any such directories specified is mounted nodev by default, +and can be made readonly.") + (license license:lgpl2.0+))) |