bwrap 1.2.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d341ff2f9550758a2fcbcdac6812c1b85a77acf6154015654d1d4980c3cf00e1
-  data.tar.gz: 680c94999f6c1bbe5524a11ead5e380d07c46a51978b5b51827f373a73836cee
+  metadata.gz: 2d50d32e5158e20f7a5a1f75124c8b657a12b54b3392612d5aa11e9717add289
+  data.tar.gz: 7ac4aede1519880cd7c4e48d233688d1fb0d2ade75e8dc202bd27969d9c28428
 SHA512:
-  metadata.gz: 9c28d8c5653480c209e00178ee0b78d0eda49eb5b75addeddfd2837425f66af0576939bf1c18374614350fac1032f468494d79964015bfd1e6f03422e2114171
-  data.tar.gz: d1f3febe2016fb724dda28e13e0b3f2ad054e3eb146794dbdca179e04a3641c9fdc8f92c91d79ec4e5614cd75946db5672c3397fd57a718e91e0050ae0f224b3
+  metadata.gz: 88dfdab0abd2342289724060107c1a8fcc681eac5a4b24f402e316cc8d4470e33cb9fe11f7be1072b2dc0b97f3b1fc10e7df92bce192f0de9de9978f423237c0
+  data.tar.gz: 76fc0bd2dc04e98b3254a540813212a6b9fb7cba1b7c0f64f49a19577106eb0dc8efac79215e4f689a229e1bfce57e9b9ca0926347d552d28000aa815697892f

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changes
 
+## 1.3.1 (06.01.2023)
+
+* Renewed expired key
+
+## 1.3.0 (06.01.2023)
+
+NOTE: No gem was released due expired key.
+
+* Introduced llvm-readelf as additional dependency for library resolution.
+* Fix library resolution on newer systems.
+* Made resolv.conf binding to require a configuration option.
+* Added option for --unshare-all (enabled by default, which is previous behaviour).
+* Return output of the command with Bwrap#run
+
 ## 1.2.0 (20.07.2022)
 
 * Properly throw execution failure exception

data/README.md

@@ -20,6 +20,15 @@ Or install it yourself as:
 
     $ gem install bwrap
 
+Running system must have following executables present:
+  - scanelf (from pax-utils)
+
+Additionally, for musl executables and libraries, following are necessary:
+  - ldd
+
+Additionally, for glibc executables and libraries, following are necessary:
+  - llvm-readelf
+
 ## Usage
 
 For now this is under ongoing development, though semantic versioning will apply.

data/lib/bwrap/args/bind.rb

@@ -53,10 +53,6 @@ class Bwrap::Args::Bind
     #
     # Or maybe the data should be calculated and these are excluded in
     # Construct#bwrap_arguments?
-    #
-    # NOTE: After making Config optional, now this requires config to be preset
-    # for full_system_mounts option to have any effect. Maybe it should always
-    # be like so by default...?
     return if @config && !@config&.full_system_mounts
 
     @library_bind.handle_given_command

data/lib/bwrap/args/construct.rb

@@ -10,6 +10,7 @@ require_relative "environment"
 require_relative "features"
 require_relative "machine_id"
 require_relative "mount"
+require_relative "namespace"
 require_relative "network"
 require_relative "user"
 
@@ -63,7 +64,7 @@ class Bwrap::Args::Construct
     proc_mount
     tmp_as_tmpfs
     @bind.bind_home_directory
-    @args.add :unshare_all, "--unshare-all" # Practically means that there would be nothing in the sandbox by default.
+    @namespace.shares
     @network.share_net
     @network.hostname
     @args.add :environment, @environment.environment_variables
@@ -145,6 +146,9 @@ class Bwrap::Args::Construct
     @machine_id = Bwrap::Args::MachineId.new
     @machine_id.config = @config
 
+    @namespace = Bwrap::Args::Namespace.new @args
+    @namespace.config = @config
+
     @network = Bwrap::Args::Network.new @args
     @network.config = @config
 

data/lib/bwrap/args/namespace.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+require_relative "args"
+
+# Namespace related arguments.
+#
+# Mostly for handling --unshare-*
+class Bwrap::Args::Namespace
+  include Bwrap::Output
+
+  # Instance of {Config}.
+  attr_writer :config
+
+  # @param args [Bwrap::Args::Args] Arguments to be passed to bwrap.
+  def initialize args
+    @args = args
+  end
+
+  def shares
+    return unless @config&.unshare_all
+
+    @args.add :unshare_all, "--unshare-all" # Practically means that there would be nothing in the sandbox by default.
+  end
+end

data/lib/bwrap/args/network.rb

@@ -24,7 +24,12 @@ class Bwrap::Args::Network
   end
 
   # Arguments to read-only bind /etc/resolv.conf.
+  #
+  # TODO: Probably it should be checked if target will have the symlink present before
+  #   doing this automatically. For that reason, now this will need a flag.
   def resolv_conf
+    return unless @config&.resolv_conf
+
     # We can’t really bind symlinks, so let’s resolve real path to resolv.conf, in case it is symlinked.
     source_resolv_conf = Pathname.new "/etc/resolv.conf"
     source_resolv_conf = source_resolv_conf.realpath

data/lib/bwrap/bwrap.rb

@@ -98,9 +98,11 @@ class Bwrap::Bwrap
     kwargs[:log_callback] ||= 1
     kwargs[:log_callback] += 1
 
-    execute exec_command, **kwargs
+    result = execute exec_command, **kwargs
 
     @construct.cleanup
+
+    result
   end
 
   # Convenience method to executes a command that is inside bwrap.

data/lib/bwrap/config.rb

@@ -53,8 +53,6 @@ class Bwrap::Config
   # @return [#each] Array of executables to bind
   attr_accessor :extra_executables
 
-  # TODO: IIRC this doesn’t match the reality any more. So write correct documentation.
-  #
   # Causes libraries required by the executable given to {Bwrap#run} to be
   # mounted inside sandbox.
   #
@@ -62,6 +60,10 @@ class Bwrap::Config
   # using {#libdir_mounts=}
   #
   # @return [Boolean] true if Linux library loaders are mounted inside chroot
+  #
+  # TODO: Since this only causes given executable be scanned for dependencies,
+  #   and not ”--bind / /”, this one should be deprecated and something like
+  #   ”@config.bind_dependents = true” should be added as alias of this.
   attr_accessor :full_system_mounts
 
   # If set to `true`, things like /dev/dri is bound to sandbox to enable usage
@@ -98,9 +100,22 @@ class Bwrap::Config
   #   Given file as bound as /etc/machine_id.
   attr_accessor :machine_id
 
+  # If set to truthy, /etc/resolv.conf will be bound to target.
+  attr_accessor :resolv_conf
+
   # @return [Boolean] true if network should be shared from host.
   attr_accessor :share_net
 
+  # Set to truthy to remove (see bwrap’s --unshare-all) all namespaces from
+  # target chroot.
+  #
+  # Defaults to true.
+  #
+  # TODO: Create more fine grained control for sharing logic than this one.
+  #
+  # @return [Boolean] true if all namespaces are tried to be removed from target.
+  attr_accessor :unshare_all
+
   # Name of the user inside chroot.
   #
   # This is optional and defaults to no user.
@@ -166,6 +181,7 @@ class Bwrap::Config
     @env_paths = []
     @ro_binds = {}
     @tmpdir = Dir.tmpdir
+    @unshare_all = true
   end
 
   def binaries_from= array

data/lib/bwrap/exceptions.rb

@@ -0,0 +1 @@
+# frozen_string_literal: true

data/lib/bwrap/execution.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative "exceptions"
 require_relative "bwrap_module"
 
 # Declare Execution module here so Bwrap::Execution module is

data/lib/bwrap/resolvers/library/base.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require "bwrap/execution"
+require "bwrap/output"
+require_relative "../library"
+
+# Base definitions for library resolver subclasses.
+class Bwrap::Resolvers::Library::Base
+  include Bwrap::Execution
+  include Bwrap::Output
+
+  private def convert_binary_paths binary_paths
+    case binary_paths
+    when String
+      [ binary_paths ]
+    when Pathname
+      [ binary_paths.to_s ]
+    else
+      binary_paths
+    end
+  end
+end

data/lib/bwrap/resolvers/library/library.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require "bwrap/execution"
+require "bwrap/output"
+require_relative "llvm_readelf"
+require_relative "musl"
+require_relative "../resolvers"
+
+# See ../library.rb for class documentation.
+class Bwrap::Resolvers::Library
+  include Bwrap::Execution
+  include Bwrap::Output
+
+  # NOTE: This caching can be made more efficient, but need to look at it later, what to do about it.
+  @@needed_libraries_cache ||= []
+
+  # Empties `@@needed_libraries_cache`.
+  def self.clear_needed_libraries_cache
+    @@needed_libraries_cache.clear
+  end
+
+  class << self
+    def needed_libraries_cache
+      @@needed_libraries_cache
+    end
+  end
+
+  # Otherwise similar to {#needed_libraries}, but checks used libc to handle musl executables.
+  #
+  # @param executable [String] Path to the executable to find dependencies for
+  # @return [Array] Libraries the executable needs, if any
+  def libraries_needed_by executable
+    trace "Finding libraries needed by #{executable}"
+
+    # %i == interpreter, the library used to load the executable by kernel.
+    # %F == Path to given file.
+    output_format = "%i::SEPARATOR::%F"
+    scanelf_command = %W{ scanelf --nobanner --quiet --format #{output_format} }
+    scanelf_command << executable
+
+    data = execvalue scanelf_command
+
+    # If data is empty, target probably is a script of some sort.
+    if data.empty?
+      return []
+    end
+
+    data = data.strip
+    interpreter, _executable_path = data.split "::SEPARATOR::"
+    interpreter = Pathname.new interpreter
+
+    if interpreter.basename.to_s[0..6] == "ld-musl"
+      trace "Resolved to musl interpreter: #{interpreter}"
+      musl_needed_libraries executable
+    else
+      trace "Defaulting to glibc interpreter: #{interpreter}"
+      # For glibc, scanelf can return full paths for us most of time.
+      needed_libraries executable
+    end
+  end
+
+  # @param binary_paths [String, Array] one or more paths to be resolved
+  def musl_needed_libraries binary_paths
+    musl = Musl.new
+    @needed_libraries = musl.needed_libraries binary_paths
+  end
+
+  # @param binary_paths [String, Array] one or more paths to be resolved
+  def needed_libraries binary_paths
+    llvm_readelf = LLVMReadelf.new
+    @needed_libraries = llvm_readelf.needed_libraries binary_paths
+  end
+end
+# class Library ended

data/lib/bwrap/resolvers/library/llvm_readelf.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Used via {Bwrap::Resolvers::Library}.
+#
+# @api private
+class Bwrap::Resolvers::Library::LLVMReadelf < Bwrap::Resolvers::Library::Base
+  # Resolve dependents using llvm-readelf.
+  #
+  # @param binary_paths [String, Array] one or more paths to be resolved
+  def needed_libraries binary_paths
+    raise ArgumentError, "binary_paths is nil, expected an Array" if binary_paths.nil?
+
+    trace "Finding libraries #{binary_paths} requires"
+    @needed_libraries = []
+
+    llvm_readelf_command = %w{ llvm-readelf --needed-libs }
+
+    binary_paths = convert_binary_paths binary_paths
+
+    # Check if the exe is already resolved.
+    binary_paths.delete_if do |binary_path|
+      Bwrap::Resolvers::Library.needed_libraries_cache.include? binary_path
+    end
+
+    return [] if binary_paths.empty?
+
+    data = execvalue(llvm_readelf_command + binary_paths)
+    parse_llvm_readelf_output binary_paths, data
+
+    @needed_libraries
+  end
+
+  # Parses output returned by llvm-readelf --needed-libraries
+  #
+  # Sets libraries to @needed_libraries variable.
+  private def parse_llvm_readelf_output binary_paths, data
+    iter = data.split("\n").each
+    source_binary = binary_paths.first
+    begin
+      while (line = iter.next)
+        source_binary = line[6..-1].strip if line[0..5] == "File: "
+        next unless line[0..16] == "NeededLibraries ["
+
+        while (library = iter.next)
+          library = library.strip
+          # End of library list for current NeededLibraries block.
+          break if library == "]"
+
+          library = convert_to_full_path source_binary, library
+
+          add_library_to_needed_libraries library
+        end
+      end
+    rescue StopIteration
+      # End of the iteration.
+    end
+  end
+
+  # NOTE: Maybe this could be in general file here, if needed elsewhere also?
+  #   This also applies to some other methods here.
+  #
+  # Finds where given library would be loaded from.
+  #
+  # source_binary is used to to if it has RPATH set as third possibility.
+  # TODO: Implement above.
+  #
+  # @param source_binary [String] Executable or library which is loading the binary
+  private def convert_to_full_path source_binary, library
+    # TODO: Somewhere put a cleanup for this variable, so this is erased
+    #  before application is run. That will save at least 200 kB of memory.
+    @@ld_so_cache ||= File.read("/etc/ld.so.cache", mode: "rb")
+
+    path_regex = %r{[\w\-/. ]{3,}}
+
+    check_next = false
+    @@ld_so_cache.scan(path_regex).each do |match|
+      if check_next
+        # TODO: Any sense checking for executable bit?
+        return match if File.exist? match
+
+        check_next = false
+      end
+
+      check_next = true if match == library
+    end
+
+    warn "Failed to resolve full path of library #{library}, needed by #{source_binary}."
+    library
+  end
+
+  # @param library [Array] library to add.
+  private def add_library_to_needed_libraries library
+    raise ArgumentError, "library is nil, expected a String" if library.nil?
+
+    return if @needed_libraries.include? library
+
+    # Probably no sense to log these unless tracing,
+    # as dependencies should work most of time.
+    #
+    # It also outputs tons of output for more complex programs.
+    trace "Binding #{library}"
+
+    @needed_libraries << library
+
+    # Also check if requisite libraries needs some libraries.
+    inner = Bwrap::Resolvers::Library.new
+    @needed_libraries |= inner.needed_libraries library
+
+    Bwrap::Resolvers::Library.needed_libraries_cache << library
+  end
+
+  # @param libraries [Array] libraries to add.
+  private def add_libraries_to_needed_libraries libraries
+    # Add to needed libraries if not already added.
+    (@needed_libraries & libraries).each do |library|
+      # Probably no sense to log these unless tracing,
+      # as dependencies should work most of time.
+      #
+      # It also outputs tons of output for more complex programs.
+      trace "Binding #{library}"
+    end
+
+    @needed_libraries |= libraries
+
+    # Also check if requisite libraries needs some libraries.
+    inner = Bwrap::Resolvers::Library.new
+    @needed_libraries |= inner.needed_libraries libraries
+
+    Bwrap::Resolvers::Library.needed_libraries_cache |= libraries
+  end
+end

data/lib/bwrap/resolvers/library/musl.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Used via {Bwrap::Resolvers::Library}.
+#
+# @api private
+class Bwrap::Resolvers::Library::Musl < Bwrap::Resolvers::Library::Base
+  # @param binary_paths [String, Array] one or more paths to be resolved
+  def needed_libraries binary_paths
+    trace "Finding musl libraries #{binary_paths} requires"
+    @needed_libraries = []
+
+    binary_paths = convert_binary_paths binary_paths
+
+    # Check if the exe is already resolved.
+    binary_paths.delete_if do |binary_path|
+      Bwrap::Resolvers::Library.needed_libraries_cache.include? binary_path
+    end
+
+    return [] if binary_paths.empty?
+
+    binary_paths.each do |binary_path|
+      output = execvalue %W{ ldd #{binary_path} }
+      lines = output.split "\n"
+      _interpreter_line = lines.shift
+
+      lines.each do |line|
+        parse_ldd_line line
+      end
+    end
+
+    @needed_libraries
+  end
+
+  # Used by {#musl_needed_libraries}.
+  private def parse_ldd_line line
+    line = line.strip
+    _library_name, library_data = line.split " => "
+
+    matches = library_data.match(/(.*) \(0x[0-9a-f]+\)/)
+    library_path = matches[1]
+
+    unless @needed_libraries.include? library_path
+      @needed_libraries << library_path
+    end
+
+    # Also check if requisite libraries needs some libraries.
+    inner = Bwrap::Resolvers::Library.new
+    @needed_libraries |= inner.musl_needed_libraries library_path
+
+    Bwrap::Resolvers::Library.needed_libraries_cache << library_path
+  end
+end

data/lib/bwrap/resolvers/library.rb

@@ -1,160 +1,12 @@
 # frozen_string_literal: true
 
-require "bwrap/execution"
-require "bwrap/output"
 require_relative "resolvers"
 
 # Class to clean up namespace for implementation specific reasons.
 #
 # @api private
 class Bwrap::Resolvers::Library
-  include Bwrap::Execution
-  include Bwrap::Output
-
-  # NOTE: This caching can be made more efficient, but need to look at it later, what to do about it.
-  @@needed_libraries_cache ||= []
-
-  # Empties `@@needed_libraries_cache`.
-  def self.clear_needed_libraries_cache
-    @@needed_libraries_cache.clear
-  end
-
-  # Otherwise similar to {#needed_libraries}, but checks used libc to handle musl executables.
-  #
-  # @param executable [String] Path to the executable to find dependencies for
-  # @return [Array] Libraries the executable needs, if any
-  def libraries_needed_by executable
-    # %i == interpreter, the library used to load the executable by kernel.
-    # %F == Path to given file.
-    output_format = "%i::SEPARATOR::%F"
-    scanelf_command = %W{ scanelf --nobanner --quiet --format #{output_format} }
-    scanelf_command << executable
-
-    data = execvalue scanelf_command
-
-    # If data is empty, target probably is a script of some sort.
-    if data.empty?
-      return []
-    end
-
-    data = data.strip
-    interpreter, _executable_path = data.split "::SEPARATOR::"
-    interpreter = Pathname.new interpreter
-
-    if interpreter.basename.to_s[0..6] == "ld-musl"
-      musl_needed_libraries executable
-    else
-      # For glibc, scanelf can return full paths for us most of time.
-      needed_libraries executable
-    end
-  end
-
-  # @param binary_paths [String, Array] one or more paths to be resolved
-  def musl_needed_libraries binary_paths
-    trace "Finding musl libraries #{binary_paths} requires"
-    @needed_libraries = []
-
-    binary_paths = convert_binary_paths binary_paths
-
-    # Check if the exe is already resolved.
-    binary_paths.delete_if do |binary_path|
-      @@needed_libraries_cache.include? binary_path
-    end
-
-    return [] if binary_paths.empty?
-
-    binary_paths.each do |binary_path|
-      output = execvalue %W{ ldd #{binary_path} }
-      lines = output.split "\n"
-      _interpreter_line = lines.shift
-
-      lines.each do |line|
-        parse_ldd_line line
-      end
-    end
-
-    @needed_libraries
-  end
-
-  # @param binary_paths [String, Array] one or more paths to be resolved
-  def needed_libraries binary_paths
-    trace "Finding libraries #{binary_paths} requires"
-    @needed_libraries = []
-
-    # %i == interpreter, the library used to load the executable by kernel.
-    output_format = "%F::SEPARATOR::%n"
-    scanelf_command = %W{ scanelf --nobanner --quiet --format #{output_format} --ldcache --needed }
-
-    binary_paths = convert_binary_paths binary_paths
-
-    # Check if the exe is already resolved.
-    binary_paths.delete_if do |binary_path|
-      @@needed_libraries_cache.include? binary_path
-    end
-
-    return [] if binary_paths.empty?
-
-    data = execvalue(scanelf_command + binary_paths)
-    trace "scanelf found following libraries: #{data}"
-
-    lines = data.split "\n"
-    lines.each do |line|
-      parse_scanelf_line line
-    end
-
-    @needed_libraries
-  end
-
-  private def convert_binary_paths binary_paths
-    if binary_paths.is_a? String
-      [ binary_paths ]
-    elsif binary_paths.is_a? Pathname
-      [ binary_paths.to_s ]
-    else
-      binary_paths
-    end
-  end
-
-  # Used by {#needed_libraries}.
-  private def parse_scanelf_line line
-    binary_path, libraries_line = line.split "::SEPARATOR::"
-    libraries = libraries_line.split ","
-
-    # Add to needed libraries if not already added.
-    (@needed_libraries & libraries).each do |library|
-      # Probably no sense to log these unless tracing,
-      # as dependencies should work most of time.
-      #
-      # It also outputs tons of output for more complex programs.
-      trace "Binding #{library} as dependency of #{binary_path}"
-    end
-
-    @needed_libraries |= libraries
-
-    # Also check if requisite libraries needs some libraries.
-    inner = Bwrap::Resolvers::Library.new
-    @needed_libraries |= inner.needed_libraries libraries
-
-    @@needed_libraries_cache |= libraries
-  end
-
-  # Used by {#musl_needed_libraries}.
-  private def parse_ldd_line line
-    line = line.strip
-    _library_name, library_data = line.split " => "
-
-    matches = library_data.match(/(.*) \(0x[0-9a-f]+\)/)
-    library_path = matches[1]
-
-    unless @needed_libraries.include? library_path
-      @needed_libraries << library_path
-    end
-
-    # Also check if requisite libraries needs some libraries.
-    inner = Bwrap::Resolvers::Library.new
-    @needed_libraries |= inner.musl_needed_libraries library_path
-
-    @@needed_libraries_cache << library_path
-  end
+  # Declared here only for convenience.
 end
-# class Library ended
+
+require_relative "library/library"

data/lib/bwrap/version.rb

@@ -2,7 +2,7 @@
 
 module Bwrap
   # Current version of bwrap.
-  VERSION = "1.2.0"
+  VERSION = "1.3.1"
 end
 
 require "deep-cover" if ENV["DEEP_COVER"]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bwrap
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.1
 platform: ruby
 authors:
 - Samu Voutilainen
@@ -10,8 +10,8 @@ bindir: bin
 cert_chain:
 - |
   -----BEGIN CERTIFICATE-----
-  MIIEJDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNid3Jh
-  cC9EQz1zbWFyL0RDPWZpMB4XDTIxMTAyMDA0NTkwOVoXDTIyMTAyMDA0NTkwOVow
+  MIID8DCCAligAwIBAgIBAjANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNid3Jh
+  cC9EQz1zbWFyL0RDPWZpMB4XDTIzMDEwNjA2NTUyNFoXDTI0MDEwNjA2NTUyNFow
   HjEcMBoGA1UEAwwTYndyYXAvREM9c21hci9EQz1maTCCAaIwDQYJKoZIhvcNAQEB
   BQADggGPADCCAYoCggGBAKUQ5wFdLLIejwiCNeGMlbApquoC0jT59H+d6zOLWxYd
   RRdum9G1lxFFFolEsFj5RSplg/SlhAhYRMUjDHiSk/usxVcOt28h4sdiFTbi1zKA
@@ -21,20 +21,19 @@ cert_chain:
   NqpsI0mQejnq+QdiNz9gAWObO+UhrOv5S7E0NYQTaf1e3G56kCmIG9p0pFXjWNPx
   DhL6YDoizVSQKTllYWbDhBx0+D+sevtmKAy0vHDAY33teAQYOxgeE/iXqvvROPU7
   HNOAqNazQHwPsTepLT9Dc/5bVbazL1MNNiWh5ZYjmJnlGSttHhM/xsZZkckJ20oh
-  0iJSyUprpR2epHP8832n6wIDAQABo20wazAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
-  sDAdBgNVHQ4EFgQUywyVCkA/Pr5zdaaMvAVlHKSXeJkwGAYDVR0RBBEwD4ENYndy
-  YXBAc21hci5maTAYBgNVHRIEETAPgQ1id3JhcEBzbWFyLmZpMA0GCSqGSIb3DQEB
-  CwUAA4IBgQB6mMDP9dY/aJZhNgZMx2d18nPLuKzTUieWJv13uPDileUbN0/nr+w4
-  dFDOTa/yjcp0mWQLF1mP/f3T8cwExlZzffftjX7dDZQJNWx3OCUHyS3GRowAE61F
-  dIWRUjd3RBfZEVrx/xY1OVp5T+N8Qn6g84Xp2OxO8GR95YlFX4WKun8f6kDEjfVi
-  m+Kso0RI4aJ93vOlm56mteupRLPyrA7dIcXG1qsglckNk3NnNvtAPSC7ncI43N3x
-  NZXFxgnAa3HZcJPhaPWpViVvrSdIYAa8ZLhvfIaDml3RE320+MenIWIqnpuwiFCg
-  jpHgtXCEQSwZTEkKj7NoUBkDjVOKnF6CB9nR4l564+BRWvtN0RJBKMmBIx3LP9vm
-  BwxPnxDROuNLx3wckCTGRH61p/K84L6Y2VEC6X+A2ztKVIjv+qRgH6NdhGFOf8US
-  X4ioQwEn1/9tHs19VO1CLF58451HgEo1BXd7eWLmV1V5cqw0YWok1ly4L/Su/Phf
-  MRxVMHiVAqY=
+  0iJSyUprpR2epHP8832n6wIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
+  sDAdBgNVHQ4EFgQUywyVCkA/Pr5zdaaMvAVlHKSXeJkwDQYJKoZIhvcNAQELBQAD
+  ggGBAGmSe4zkcmNd3JfmTA9CDpBu3j6qiPnbk2x8vTjDQAyAGRjX8Depzz39jUbF
+  cmmL/J5XqqkZaYy7X+w2nWVYk8BwmAP3ft6L6qO0rmZhOtfsyTzf0fI1zY20Y98W
+  uoDoS2cL6fIJ8Gv6B4tXCSZO1cQOHMAhzAeRGbfn0InbDtalfVbYFmnmo9PqJz4C
+  kRUFHNCTRt+YAneAZ2gAU4r89EuNheyyEmPonWHjCwPIGKS/rsChFWIU22wrZkGd
+  aWT3as+jC2gDiQTw82JalFWsqK9p9UxsRt1lkV4mb5NSDcKl7ApI1TAW2EANeLOx
+  PWJbiDgQIrErC5lDu25gzWF+g5sYc7uaMcKxS8BqAggMWuW/lUcNX8e+4WdDAPgO
+  tDIK8ZQo4kVJE9EQTA4LsP4TMNDn18vBr0aIY92p+uq31rocusojfAszU50DSw3M
+  7a31nUjVeQjpooaUQi6ECFr+Neidh3jhzreVfXqjxMkPOYLlCAmd9E1izCTRIgLS
+  cAzqsw==
   -----END CERTIFICATE-----
-date: 2022-07-20 00:00:00.000000000 Z
+date: 2023-01-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -158,6 +157,7 @@ files:
 - lib/bwrap/args/features/ruby_binds.rb
 - lib/bwrap/args/machine_id.rb
 - lib/bwrap/args/mount.rb
+- lib/bwrap/args/namespace.rb
 - lib/bwrap/args/network.rb
 - lib/bwrap/args/user.rb
 - lib/bwrap/bwrap.rb
@@ -166,6 +166,7 @@ files:
 - lib/bwrap/config/features.rb
 - lib/bwrap/config/features/base.rb
 - lib/bwrap/config/features/ruby.rb
+- lib/bwrap/exceptions.rb
 - lib/bwrap/execution.rb
 - lib/bwrap/execution/exceptions.rb
 - lib/bwrap/execution/exec.rb
@@ -182,6 +183,10 @@ files:
 - lib/bwrap/output/output_impl.rb
 - lib/bwrap/resolvers/executable.rb
 - lib/bwrap/resolvers/library.rb
+- lib/bwrap/resolvers/library/base.rb
+- lib/bwrap/resolvers/library/library.rb
+- lib/bwrap/resolvers/library/llvm_readelf.rb
+- lib/bwrap/resolvers/library/musl.rb
 - lib/bwrap/resolvers/mime.rb
 - lib/bwrap/resolvers/resolvers.rb
 - lib/bwrap/version.rb