Bug 253002
| Summary: | [GLib] Use bubblewraps new --disable-userns option when available | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Patrick Griffis <pgriffis> |
| Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | aperez, bugs-noreply, mcatanzaro |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Patrick Griffis
Bubblewrap 0.8.0 released with a new feature that allows disabling namespaces without relying on syscall filters.
This should be more robust and make some classes of exploits impossible.
You can see a writeup on this feature here: https://github.com/containers/bubblewrap/pull/488
And usage of it here: https://github.com/flatpak/flatpak/pull/5084
One open question is do we hard depend on bwrap 0.8.0 or conditionally use this feature.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Michael Catanzaro
(In reply to Patrick Griffis from comment #0)
> One open question is do we hard depend on bwrap 0.8.0 or conditionally use
> this feature.
Definitely should be conditional.
Adrian Perez
(In reply to Michael Catanzaro from comment #1)
> (In reply to Patrick Griffis from comment #0)
> > One open question is do we hard depend on bwrap 0.8.0 or conditionally use
> > this feature.
>
> Definitely should be conditional.
Or, check the output from “bwrap --version” at runtime.
/me hides