bubblewrap

bubblewrap copied to clipboard

More about codespell: https://github.com/codespell-project/codespell . I personally introduced it to dozens if not hundreds of projects already and so far only positive feedback. CI workflow has 'permissions' set only to...

yarikoptic

Add a --not-a-security-boundary option

6

Depending on the options that it's given, the new namespaces created by bubblewrap might be: * a sandboxed environment, with a security boundary between the real system and the sandbox...

smcv

Bwrap seems to fail in any ARM64 installation

5

I'm trying to use bwrap as part of a build process, and it works fine right now on ubuntu 20.04 and 22.04. However all versions of bwrap are failing on...

Whistlerone

`--bind` can cause bwrap to fail during startup if it races with the mount table changing

6

Try running this in one terminal to cause the mount table to change frequently: ``` $ mkdir from to $ while true; do sudo mount --bind from to && sudo...

artli

Add --cgroup flag for mounting cgroups

2

There is already `--tmpfs`, `--dev`, `--proc`, and `--mqueue` for creating mount points for commonly namespaced mount points for sandboxing. There is also `--unshare-cgroup` which creates the cgroup namespace, but there...

georgyo-js

--die-with-parent is a massive footgun

1

I recently stumbled upon the same issue that was reported in this blog post: https://www.recall.ai/blog/pdeathsig-is-almost-never-what-you-want. The problem is how `PR_SET_PDEATHSIG` works (from [here](https://man7.org/linux/man-pages/man2/PR_SET_PDEATHSIG.2const.html)): > The parent-death signal is sent upon...

thomasjm

Had to replace symlink with ro-bind to get minimal example to work

3

README currently provides the following minimal example using `--symlink` for lib: https://github.com/containers/bubblewrap/blob/9ca3b05ec787acfb4b17bed37db5719fa777834f/README.md?plain=1#L119-L126 As far as I understand it's based on [demos/bubblewrap-shell.sh](https://github.com/containers/bubblewrap/blob/9ca3b05ec787acfb4b17bed37db5719fa777834f/demos/bubblewrap-shell.sh) which also uses `--symlink`. I kept getting bwrap: execvp...

harrypotterIUP

Fearture Request: Landlock

2

Landlock provides fine grained control over individuals files or directories, there are already other sandboxing software that does exactly this like the go written [landrun](https://github.com/Zouuup/landrun) this will be very handy...

andrew-2e128

Hi, I seems to have a bug, we are using autofs in our environment, and when a user or process is running in bubblewrap sandbox context with the bwrap .....

Zohman

This feature implements the logic described by @xyene in https://github.com/containers/bubblewrap/issues/380#issuecomment-2571415032, i.e., instead of ensuring that `CapPrm == 0`, it checks that `CapPrm == CapAmb`.

mxiao-js