bubblewrap
bubblewrap copied to clipboard
containers
Low-level unprivileged sandboxing tool used by Flatpak and similar projects
Some usecases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. This can be limited by --disable-userns, which...
Add options `--uid-map` and `--gid-map` to map multiple users between child and parent namespace: `bwrap --uid-map ' ...' ...` Relying on shadow `newuidmap` utility, or implementing the same whitelisting logic...
### What I observe: ``` $ touch a_file $ ln -s a_file rel_symlink $ bwrap --bind / / --bind a_file $PWD/rel_symlink /usr/bin/env ls -l $PWD/rel_symlink lrwxrwxrwx 1 robryk users 6...
excuse my ignorance, i spent quite some time using search engines and i could not find an answer. is it somehow possible to wrap a program that binds to a...
Found by a static analyzer. ``` bubblewrap-0.4.1/bubblewrap.c:1500: overwrite_var: Overwriting "opt_args_data" in "opt_args_data = load_file_data(the_fd, &data_len)" leaks the storage that "opt_args_data" points to. # 1498| * keep allocated until exit time,...
Bubblewrap is currently hard to use in combination with AppArmor profiles. The root cause of this is that it sets the NO_NEW_PRIVS flag quite early in the process, and if...
I'm proposing this commit to address https://github.com/containers/bubblewrap/issues/369. Instead of the default termination when receiving SIGINT or SIGTERM, this change propagates SIGINT and SIGTERM from the parent to the child.
Added spaces to make the trailing line-continuation slashes all line up in the same column. Also moved a few command-line flags around to group together flags of same kind. Note...
I've hit the MAX_ARG limit. There doesn't seem to be any reason for it when bwrap is unprivileged.
Read /proc/self/mountinfo only once instead reading it for every "--bind" flag on the command line.
Metadata
Owner
Metadata
Low-level unprivileged sandboxing tool used by Flatpak and similar projects