Bug 253002

Summary: [GLib] Use bubblewraps new --disable-userns option when available
Product: WebKit Reporter: Patrick Griffis <pgriffis>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: aperez, bugs-noreply, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Patrick Griffis 2023-02-27 09:44:16 PST 
Bubblewrap 0.8.0 released with a new feature that allows disabling namespaces without relying on syscall filters.

This should be more robust and make some classes of exploits impossible.

You can see a writeup on this feature here: https://github.com/containers/bubblewrap/pull/488
And usage of it here: https://github.com/flatpak/flatpak/pull/5084

One open question is do we hard depend on bwrap 0.8.0 or conditionally use this feature.
Comment 1 Michael Catanzaro 2023-02-27 11:10:16 PST 
(In reply to Patrick Griffis from comment #0)
> One open question is do we hard depend on bwrap 0.8.0 or conditionally use
> this feature.

Definitely should be conditional.
Comment 2 Adrian Perez 2023-02-27 14:07:58 PST 
(In reply to Michael Catanzaro from comment #1)
> (In reply to Patrick Griffis from comment #0)
> > One open question is do we hard depend on bwrap 0.8.0 or conditionally use
> > this feature.
> 
> Definitely should be conditional.

Or, check the output from “bwrap --version” at runtime. 

/me hides