bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard

Published 20 hours ago verified publisher icon containers

Contrary to documentation Bubblewrap leaves mount capability available.

Open TimothyEBaldwin opened this issue 7 years ago • 1 comments
trafficstars

The man page states:

By default no caps are left in the sandboxed process.

Additionally one would expect --ro-bind to prevent writing by the sandboxed process.

However when started by uid 0 this is not the case and files can be written (assuming /tmp is a mount point):

unshare -Ur ./bwrap --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'

unshare -Ur ./bwrap --unshare-user --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'

This is supported by the comment on line 697 of bubblewrap.c.

If our uid is 0, default to inheriting all caps; the caller can drop them via --cap-drop. This is used by at least rpm-ostree. Note this needs to happen before the argument parsing of --cap-drop.

So should bwrap behave as documented, or should the documentation be fixed?

Also if caps are explicitly added: ./bwrap --unshare-user --uid 0 --cap-add ALL --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'

This could avoided by creating the final user namespace after setting up the mounts, which one might expect, but this creates other problems:

  • Unshare PID before unshare USER, PID namespace is owned by wrong user namespace.
  • Mount /proc before unshare PID, /proc has wrong PID namespace.
  • Unshare USER before mount /proc, /proc can be unmounted.

I suggest that this is documented, with a workaround of nesting bwrap.

TimothyEBaldwin avatar Sep 02 '18 11:09 TimothyEBaldwin

LOL

$ bwrap --dev-bind / / cat /proc/self/status | grep Cap
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	0000000000000000
CapAmb:	0000000000000000
$ unshare -r bwrap --dev-bind / / cat /proc/self/status | grep Cap
CapInh:	0000000000000000
CapPrm:	000001ffffffffff
CapEff:	000001ffffffffff
CapBnd:	000001ffffffffff
CapAmb:	0000000000000000
$ unshare -r bwrap --dev-bind / / --cap-drop ALL cat /proc/self/status | grep Cap
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	000001ffffffffff
CapAmb:	0000000000000000

edit: Fedora 34, bubblewrap 0.4.1 non-suid

rusty-snake avatar Jul 10 '21 08:07 rusty-snake