Jump to navigation Jump to search
- Expand upon Bash example as a means to verify the contents of the sandbox filesystem.
- Explain why bubblewrap does not automatically create user namespaces when running with setuid privileges: bubblewrap drops all capabilities within a sandbox such that child tasks cannot gain greater privileges than its parent. The creation of a user namespace adds the SYS_CAP_ADMIN capability to sandboxed processes. The risk of providing SYS_CAP_ADMIN must be weighed against the benefit of isolating user-specific information (e.g. UID/GID) within a user namespace.
- user namespaces only add SYS_CAP_ADMIN inside the namespace and bubblewrap drops all caps again before executing the sandboxed process. Since namespaces are designed to be used by unprivileged users by utilising user namespaces, this will actually be much safer then using it without user namespaces. Best case would be to use bwrap on a kernel with unprivileged user namespaces available, to allow it's use without suid. The actual reason bwrap does not use user namespaces by default when running with suid, is that there are some rare use cases that only work outside a user namespace. Those use cases already do not work when bwrap is not installed with suid. Valoq (talk) 10:14, 21 January 2017 (UTC)
- Introduce seccomp filter generation through libseccomp and include example
- Further differentiate examples? Is goal min examples with max diff? Or simply max examples regardless of duplicated options/values?