bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard

Published 20 hours ago verified publisher icon containers

Implement --compat

Open kulkom opened this issue 1 year ago • 4 comments

I hope everyone likes this pull request better than the last one.

kulkom avatar Apr 11 '23 17:04 kulkom

Also, I created this PR (and the previous terrible one) because I wanted bubblewrap to be more secure, especially after I found out that anyone can escape from my container because I didn't specify --new-session. However, now I understand that in that case the problem was not bubblewrap itself, but how I used it. So now, I think that it would be better for me to instead make a PR implementing an option with a name like --default-secure, which would flip most, if not all, of the defaults. (for example, with this option the parameter --unshare-all would become the default and one would need to specify --share-all to disable it, and --bind would have the behaviour of --ro-bind and one would have to specify --rw-bind to bind something with write permissions). I think that such a feature would be significantly better than adding --no-new-session and flipping the default would ever be.

kulkom avatar May 24 '23 17:05 kulkom

an option with a name like --default-secure

As I think I've explained several times already, it is not possible to implement such an option without making it deeply misleading, because this situation will inevitably happen:

  • the default behaviour of clone() in the Linux kernel is to share all state between parent and child, except for state that we explicitly unshare (this is a consequence of the kernel's strong backwards-compatibility rules)
  • you implement bwrap --default-secure which unshares all known namespaces
  • the kernel invents a new namespace, CLONE_NEWFOO, which unshares the new Foo namespace between parent and child
  • for maximum security (minimum sharing) we would ideally want --default-secure to unshare Foo too
  • but we now have two choices, both of them bad:
    • make --default-secure leave Foo shared, meaning it is less secure than it could be, and now we have to invent a --default-more-secure;
    • or make --default-secure unshare Foo too, which means its behaviour has incompatibly changed, and applications that relied on Foo being shared with parent processes will stop working

The way to do a similar thing without either adding a misleading option or randomly breaking apps is #455.

smcv avatar May 30 '23 10:05 smcv

I have implemented --compat. Currently with this PR --compat [anything but 0] will do these things:

  • use 0644 as the default permissions instead of 0666 for --file
  • die when more than one --seccomp option is specified
  • remove --disable-userns and make it's behaviour the default, create a new option --allow-userns
  • remove --new-session and make it's behaviour the default, create a new option --no-new-session

I'm not sure about my decision to remove --new-session and --disable-userns from compatability level 1 and to implement --no-new-session and --allow-userns only in compatability level 1 or later, so if that's a bad idea I will fix it. Also, I would still like to implement something like --default-secure, but now I'm not sure whether that would be a good idea.

kulkom avatar Jun 17 '23 21:06 kulkom

This is also missing any test coverage: tests/test-run.sh is using compat level 0 everywhere.

smcv avatar Sep 28 '23 12:09 smcv