bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard

Published 20 hours ago verified publisher icon containers

Document possible sandbox restriction

Open brandsimon opened this issue 5 years ago • 5 comments

As explained here: https://github.com/containers/bubblewrap/issues/279#issuecomment-609475553_ I document this, since it is an information I wanted when first having contact with this tool. Besides that, I had a lot of fun with it, thank you to all of the contributors!

brandsimon avatar May 01 '20 18:05 brandsimon

Can one of the admins verify this patch? I understand the following commands:

  • bot, add author to whitelist
  • bot, test pull request
  • bot, test pull request once

rh-atomic-bot avatar May 01 '20 18:05 rh-atomic-bot

Since nothing happened here, I am not sure I missed something. Do I need to tell the bot a command?

brandsimon avatar Jun 17 '20 23:06 brandsimon

I don't understand this addition. The section you added to talks about the security of bubblewrap itself on a system. I.e. as a sysadmin i need to consider: is there an increased risk in installing the bwrap package on a system (it can be setuid root after all).

What does this have to do with browsers or other apps restricting themselves?

alexlarsson avatar Jun 30 '20 14:06 alexlarsson

It's true to say that for programs like web browsers, which aim to enforce a security boundary within themselves (between the UI and the web content), a program running inside a bubblewrap sandbox is less able to enforce that security boundary than a program running on the host system.

However, it's deeply misleading to say that in a paragraph that is otherwise talking about whether bubblewrap undermines the security boundary between ordinary users and root, or between one user and another. The Security section of the README is currently only talking about this security boundary, and the bubblewrap vulnerabilities that were fixed in the past, like CVE-2020-5291, were flaws in this boundary.

If you want the README to talk about both of those security boundaries, then it needs to be as clear as possible which one you're talking about at any given moment.

There is a third interesting security boundary, between the code that is run inside the bubblewrap sandbox and the code that runs outside. Enforcing this boundary is not bubblewrap's job: it provides mechanisms that a caller could use to enforce this boundary, but not all callers even want to do that, and bubblewrap does not force them to. For example, most Flatpak apps are designed to protect processes outside the sandbox, but a few Flatpak apps like gnome-builder are designed to be able to be allowed to execute arbitrary code outside the sandbox.

smcv avatar Jun 30 '20 14:06 smcv

I agree with you, valid point! I changed the PR and split the two sections.

brandsimon avatar Jul 11 '20 13:07 brandsimon

I rebased the branch and reworked the section. (Thank you @hartwork for your help). Please let me know, if you want any further changes.

brandsimon avatar Mar 19 '23 19:03 brandsimon

This has conflicts with #560, which I'm unable to resolve because the submitter did not give permission for bubblewrap maintainers to force-push to their branch, so I've pushed a slightly re-worded version as #621.

smcv avatar Feb 15 '24 14:02 smcv