bubblewrap

bubblewrap copied to clipboard

I did test this and it works...but I'm a little uncertain about whether it's correct. Netlink scares me :smile: I tried looking at other reference code, but systemd has custom...

cgwalters

Use seccomp instead of setsid() to workaround CVE-2017-5226

37

The setsid() workaround of https://github.com/projectatomic/bubblewrap/pull/143 is problematic, because it e.g. breaks shell job control for bubblewrap instances. So, instead we use a seccomp approach based on: https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2 However, since we...

alexlarsson

README.md: Add blurb about what features we expect to expose

1

alexlarsson

Feature request: join network namespace created by 'ip netns create'

7

The `ip` utility has a subcommand to create persistent network namespaces, and to run processes in these namespaces. It would be really handy if bubblewrap could put processes into network...

zackw

`bwrap: unshare user ns: No space left on device`

3

Hi, I recently wrote a [bwrap script for Firefox in bash](https://gitlab.com/TheEvilSkeleton/bubblewrap/-/blob/main/firefox). However, whenever I try to launch it like a normal script or binary, I get the following error: ```...

TheEvilSkeleton

bwrap refuses to run with ambient capabilities

23

When running in podman rootless container launched with `--userns=keep-id` alone, `bwrap` refuses to run with following message: ``` bwrap: Unexpected capabilities but not setuid, old file caps config? ``` However,...

gasinvein

Q: Why am i unable to create functional sandbox?

1

```console kreyren@leonid ~$ cat path/to/script.sh | ix http://ix.io/3Eod kreyren@leonid ~$ ~/Repositories/nix-run/script.sh ls bwrap: execvp ls: No such file or directory ``` This is in GNU Guix's environment trying to re-create...

Kreyren

"Compatibility level" like debhelper?

2

Several `bwrap` options have semantics and defaults that, with hindsight, are perhaps not what we would have wanted. One way to improve on this might be to borrow an idea...

smcv

delegated netns access

11

While we allow the creation of a new netns, we don't allow configuring it, so our current support is "host network" or "none". It would be quite interesting to allow...

cgwalters

Contrary to documentation Bubblewrap leaves mount capability available.

1

The man page states: > By default no caps are left in the sandboxed process. Additionally one would expect `--ro-bind` to prevent writing by the sandboxed process. However when started...

TimothyEBaldwin