bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard

Published 20 hours ago verified publisher icon containers

Entering an existing sandbox created by bubblewrap without special privileges

Open amtlib-dot-dll opened this issue 7 years ago • 1 comments

bubblewrap creates namespaces without special privileges, but it can only create new ones. In order to enter those namespaces, nsenter should be run with CAP_SYS_ADMIN.

In the GNOME launcher we an launch new instances of an application. However, the two instances of the application are in two different namespaces, which confuses the application and wastes system resources.

One way is to implement some listener in the running bwrap process with authentication, and when the user requests to launch something new inside the sandbox, launch it.

PS: This would introduce many complex logic, and IMHO C++ may be a better tool for it.

amtlib-dot-dll avatar Jan 22 '18 13:01 amtlib-dot-dll

Nice idea!

smtalk avatar Apr 18 '20 22:04 smtalk