bubblewrap

bubblewrap copied to clipboard

`PR_SET_PDEATHSIG` is racy unless there is a check for the parent having already died

4

If the parent process has died already, `PR_SET_PDEATHSIG` is a no-op. I consider this a kernel bug, but there is a workaround: if one knows what the parent process’s PID...

DemiMarie

Hey folks, I'm a bit new to this and just learning/playing around with bwrap, so forgive me if there's some very obvious reason for this. Here's a snippet from the...

dk1953

Please add comparison to [gVisor](https://gvisor.dev/) and [sandbox2](https://developers.google.com/code-sandboxing/sandbox2) in the README.

arch-hash

child bwrap process is left as zombie

4

Hi! Apologies in advance if this isn't really a bug / my findings are wrong. Bubblewrap clones itself to create a child, then clones again and exec's the user binary...

DanGooding

Consider adding optional pre-configure seccomp filters

2

[SECURITY.md](https://github.com/containers/bubblewrap/blob/main/SECURITY.md) clarifies that it is not the task of bwrap to enure that a real security barrier is created. However, as I understand it, there is a list of seccomp...

sophie-h

Drop check for setcaps

5

Before bwrap was installed setuid (when user namespaces are not supported), it used setcap/file capabilities to acquire the privileges to create the bwrap environment. This was dropped 9 years ago...

swick

bubblewrap's [SECURITY.md](https://github.com/containers/bubblewrap/blob/main/SECURITY.md) points to the no-longer maintained (apart from the release-* branches) c/common repo's SECURITY.md file which mentions emailing podman's security mailing list. So, podman's mailing list will end up...

lsm5

Massive bindings that requires more than 9000 args

1

Hey there, it's about the 9000 args limit! https://github.com/containers/bubblewrap/blob/d6180f25b164c708b8b0a0d86d6a9642f30cd9a9/bubblewrap.c#L1768C1-L1779 **Short issue:** *How to bind a *massive* amount of files, without copying them to a tempfs (I don't want duplicated data)?*...

freerig

For example, this program hangs unless I remove the call to `signal` function. ```c #include #include #include int main(void) { signal(SIGCHLD, SIG_IGN); pid_t pid = fork(); if (pid == 0)...

yan12125

Document running nested in docker/podman

12

``` # podman run --rm -ti --security-opt seccomp=unconfined quay.io/cgwalters/coreos-assembler bwrap --unshare-pid --unshare-user --bind / / true bwrap: Failed to mount tmpfs: Permission denied ``` This is actually SELinux. See [this...

cgwalters