bubblewrap

bubblewrap copied to clipboard

Can't use a custom uid/gid in the sandbox together with --dev

2

First of all: Thanks for your great work! I'm running a hardened kernel where unprivileged users can't create user namespaces: ``` [root@machine ~]# sysctl kernel.unprivileged_userns_clone kernel.unprivileged_userns_clone = 0 ``` I...

casipw

Can we avoid CVE-2019-5736-like attacks generically?

10

> runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the...

frankm42

I would like to be able to run a program in a network namespace, but with the ability to act as a network client (but not server). This can be...

DemiMarie

On systems where `bwrap` is setuid root, it is not possible to `ptrace` the container. This is annoying, but okay in most cases. However, one extremely useful feature of [playpen](/thestinger/playpen)...

DemiMarie

This ensures that no process can overwrite it unless it has `CAP_LINUX_IMMUTABLE`, which helps protect against `/proc/self/exe` vulnerabilities. That said, Mandatory Access Control (such as SELinux, AppArmor, or SMACK) is...

DemiMarie

Dropping Privileges

1

Since bubblewrap is a suid application (on many systems), I had a look at the privilege dropping part. Taking this as an example https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch01s03.html there seem to be several things...

wland32

I try to mount a Fedora rootfs which employes standeard /etc/shadow system. > bwrap --bind / --unshare-user --uid 0 --gid 0 adduser foo adduser: cannot open /etc/gshadow whereas if I...

Esben2

Unable to run even though I appear to have all relevant features except CONFIG_USER_NS

22

Hi, I'm trying to install a Flatpak app on a distro which predates Flatpak support. Error message: `Creating new namespace failed, likely because the kernel does not support user namespaces....

dg1727

WSL support of bubblewrap

1

To date, bubble wrap doesn't work on WSL. Could a bubblewrap developer enumerate things needed to have it work ? so we make a feature request at MSFT. Regards

mprevot

[Flawfinder](https://dwheeler.com/flawfinder/) is a tool for checking source code against [Common Weakness](https://cwe.mitre.org/). I attached report generated with `flawfinder -cQ bubblewrap` against git repository. [flawfinder.txt](https://github.com/projectatomic/bubblewrap/files/2475483/flawfinder.txt)

Maryse47