bubblewrap issues

--bind fails if directories above are not +rx

I want to `--bind . /something`, but while the user has access to `.`, it intentionally has no access to `..` or several parent directories. This seems to fail at...

luke-jr

"--new-session" underadvertised and CVE-2017-5226 still a thing in 2023 by default?

11

Hi! Thanks for making bubblewrap and sharing it as Software Libre! :pray: Someone pointed out the importance of `--new-session` [on Hacker News](https://news.ycombinator.com/item?id=30825088) and I'm in debt to them for speaking...

hartwork

Update URLs to HTTPS

1

TotalCaesar659

Default behaviour of `--cap-drop`

2

The documentation of `--cap-drop` states: By default no caps are left in the sandboxed process. That seems not to be true: id uid=0(root) gid=0(root) groups=0(root) getpcaps $$ 14257: =ep bwrap...

cgzones

Allow --uid and --gid without --unshare-user when running as root

4

When root, it's not necessary to --unshare-user to be able to change uid/gid, so bubblewrap shouldn't require it.

DaanDeMeyer

Don't implicily enable --unshare-user when not running as root

1

If already in a user namespace, a regular user can have all the required permissions necessary for bubblewrap to function correctly. Hence bubblewrap shouldn't implicitly enable --unshare-user when not running...

DaanDeMeyer

Missing examples / tests for --userns2 option

9

Trying to get a grasp on the nested namespaces and how to enter those with --userns2 There are no examples or tests I can find For example when I run...

Sacred-Salamander

Problems re-entering all bwrap namespaces

2

I want to use a FUSE mount inside bubblewrap namespace and that to be seen for any other process I launch in that namespace Launching a shell as an example...

Sacred-Salamander

bubblewrap refuses to work with an unreachable automount

4

If you setup a systemd automount similar to this: ``` # var-home-user-mount.automount [Unit] Description=auto mount StartLimitIntervalSec=0 Requires=network.target [Automount] Where=/var/home/user/mount TimeoutIdleSec=10min [Install] WantedBy=remote-fs.target ``` ``` # var-home-user-mount.mount [Unit] Description=mount Requires=network.target StartLimitIntervalSec=0...

ghost

(Option 1) Fixed O(N^2) performance when handling --bind flags

2

Issue [#384](https://github.com/containers/bubblewrap/issues/384). I'll need some help from the bubblewrap maintainers to land this change. Please, review this. I'm not completely sure does it break something or not. But seems like...

witaway

bubblewrap
bubblewrap copied to clipboard

Metadata

--bind fails if directories above are not +rx

"--new-session" underadvertised and CVE-2017-5226 still a thing in 2023 by default?

Update URLs to HTTPS

Default behaviour of `--cap-drop`

Allow --uid and --gid without --unshare-user when running as root

Don't implicily enable --unshare-user when not running as root

Missing examples / tests for --userns2 option

Problems re-entering all bwrap namespaces

bubblewrap refuses to work with an unreachable automount

(Option 1) Fixed O(N^2) performance when handling --bind flags

← Metadata

Owner

Metadata

bubblewrap bubblewrap copied to clipboard

Metadata

← Metadata

Owner

Metadata

bubblewrap
bubblewrap copied to clipboard