bubblewrap

bubblewrap copied to clipboard

bwrap: Can't bind mount Too many levels of symbolic links

2

``` flatpak run org.geany.Geany bwrap: Can't bind mount /oldroot/var/run/chrome/geany on /newroot/var/run/chrome/geany: Too many levels of symbolic links ``` bubblewrap was configured with ``` ./configure \ --disable-maintainer-mode \ --disable-man \ --with-priv-mode=setuid...

satmandu

[Feature] option --ignore-chown

6

What do you think about adding a new option to bwrap which will ignore errors when programs attempt to run `chown`? I think it's common in user namespaces to pretend...

akvadrako

Changing permissions inside a chroot

4

Setup: ``` mkdir -p ~/tmp/brw cd ~/tmp/brw wget http://cdimage.ubuntu.com/ubuntu-base/releases/trusty/release/ubuntu-base-14.04.5-base-amd64.tar.gz tar xf ubuntu-base-14.04.5-base-amd64.tar.gz bwrap --unshare-all --share-net --bind $(pwd) / \ --gid 0 --uid 0 --chdir / --dir /fs --dev /dev --proc...

necrophcodr

README outdated for CentOS and Debian

5

The Readme says user namespaces are not available to unprivileged users in several production distributions such as CentOS/Red Hat Enterprise Linux 7, Debian Jessie, etc. In CentOS 8 and Debian...

mkenigs

Can't run bubblewrap inside bubblewrap when using --cap-add

3

These work: `bwrap --dev-bind / / --cap-add ALL -- chroot / sh` `bwrap --dev-bind / / -- bwrap --dev-bind / / -- sh` This doesn't: `bwrap --dev-bind / / --cap-add...

L-as

RFE: slirp4netns support

1

Using userspace network stack like slirp4netns as an alternative to sharing network namespace could provide a more secure way to connect sandboxed apps to the internet: - No abstract sockets...

gasinvein

Block access to user namespaces

1

When running bubblewrap on systems with unprivileged user namespaces available, currently the runtime environment inside the bwrap sandbox does not block access to user namespaces, therefore allowing the sandboxed process...

gerout7

user-id mapping, or running bwrap as a different user

10

Hello, I'm interested in using bubblewrap to run a long-term daemon, as a separate user. first, is this an intended use-case ? or is bubblwrap mainly intended to sandbox an...

agordon

Feature request: block access to local network

1

Applications that legitimately need network access might exploit servers listening on the local network (link-local, loopback, or private IP ranges), which often do not have any authentication, or have insufficient...

gcampax

Bubblewrap integrated into LiteSpeed

1

Hi, my name is Bob Perper and I'm a developer here at LiteSpeed Technologies. We produce a number of products, but most especially the LiteSpeed and OpenLiteSpeed web servers. We...

rperper