bubblewrap

bubblewrap copied to clipboard

bwrap can exit while overlayfs upper directory is still busy, preventing reuse in a subsequent command

5

Greetings, I have encountered some issues when using bwrap's native overlay options in constrast to fuse-overlayfs, these issues stem from the lack of a lazy unmount option. Bwrap overlayfs upper...

ruanformigoni

Tidy up handling of intermediate pid fds

1

* Use PIPE_READ_END, PIPE_WRITE_END to clarify use of a socketpair Both sockets in the socket pair are technically bidirectional, but we are using them as though they were unidirectional, with...

smcv

Consistently use cleanup_fdp() to close fds when the result is ignored

1

This avoids leaving dangling references to fds that no longer exist, clarifying ownership. This commit does not cover the socket pairs used to transfer the pid of a descendant process...

smcv

Tidy handling of privileged operation fds

1

Similar to #665, but for the socket pair that communicates privileged operations between the temporary unprivileged child and the privileged parent when we are setuid root. * Use PIPE_READ_END, PIPE_WRITE_END...

smcv

The util-linux packages are an official set of programs developed under the Linux organization. They are also preinstalled on pretty much every system as they contain e.g. `agetty`, `login`, and...

septatrix

Support scoping abstract unix sockets

4

Closes: https://github.com/containers/bubblewrap/issues/330

WavyEbuilder

Reset SIGCHLD action to SIG_DFL

4

Some applications, like Erlang, call sigaction for SIGCHLD with `sa.sa_action = SIG_IGN`, this causes bwrap never read child process exit status from signalfd. That behavior is explained in the function...

joelpelaez

Add support for Landlock

2

It would be great if Bubblewrap could integrate Landlock for path-based security restrictions inside the sandbox. Currently, Bubblewrap isolates processes using namespaces and mount points, but it lacks a mechanism...

arch-hash

Added --sys argument for mounting sysfs

2

Greetings, I needed this feature (sysfs) for my own use-case and decided to implement it. My goal is to do networking experiments inside of a container, as well as to...

schreiberstein

locally-written launch script unexpectedly allows sandboxed app to overwrite its own .desktop file

6

I'm running Telegram binary software under bwrap with limited access to file system. But one in a while I see telegram some how replace my starter desktop file with it's...

axet