[Question] bubblewrap with network namespaces

[ghost]

It has been discussed before here and the problem seemed to have to do with privilege.

But assuming you don't care to be unprivileged when you do it, how do you force a piece of software you bubble wrapped to be using a separate namespace?

Is there any downside to doing:

sudo ip netns exec netns1 bwrap ...

The above will launch bwrap as root, is bwrap able to deal with that satisfactorily?

If not:

sudo -E ip netns exec netns1 sudo -E -u \#$(id -u) -g \#$(id -g) bwrap ...

Is there a problem with this?

Perhaps use opendoas instead of sudo.

[smcv]

assuming you don't care to be unprivileged when you do it

If you don't care whether you're unprivileged, you don't need bubblewrap.

[ghost]

assuming you don't care to be unprivileged when you do it

If you don't care whether you're unprivileged, you don't need bubblewrap.

The alternatives are either bloated and present a large attack surface (firejail) or don't play well with using a custom rootfs (firejail again and also minijail0). bwrap seems like the best solution if you want both a minimal container and sandbox.

You didn't address the question, btw.

[alexlarsson]

The entire premise with bwrap is that it allows you to do some subset of things you cannot normally do as you are not root, if you are root, you don't need that but can just set up namespaces and mounts however you want.

However, there is no problem with using bwrap as root.

[ghost]

Doesn't bubblewrap also support a suid mode? Why isn't there a switch that would enable network namespaces in this mode?

[alexlarsson]

The setuid mode is extremely sensitive as it means granting more privileges than otherwise to non privileged users, it doesn’t mean we can just add whatever root can do to it.