NEW253002
[GLib] Use bubblewraps new --disable-userns option when available 
https://bugs.webkit.org/show_bug.cgi?id=253002
Summary [GLib] Use bubblewraps new --disable-userns option when available
Patrick Griffis
Reported 2023-02-27 09:44:16 PST
Bubblewrap 0.8.0 released with a new feature that allows disabling namespaces without relying on syscall filters. This should be more robust and make some classes of exploits impossible. You can see a writeup on this feature here: https://github.com/containers/bubblewrap/pull/488 And usage of it here: https://github.com/flatpak/flatpak/pull/5084 One open question is do we hard depend on bwrap 0.8.0 or conditionally use this feature.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2023-02-27 11:10:16 PST
(In reply to Patrick Griffis from comment #0) > One open question is do we hard depend on bwrap 0.8.0 or conditionally use > this feature. Definitely should be conditional.
Adrian Perez
Comment 2 2023-02-27 14:07:58 PST
(In reply to Michael Catanzaro from comment #1) > (In reply to Patrick Griffis from comment #0) > > One open question is do we hard depend on bwrap 0.8.0 or conditionally use > > this feature. > > Definitely should be conditional. Or, check the output from “bwrap --version” at runtime. /me hides
Note You need to log in before you can comment on or make changes to this bug.