Bug 253002 - [GLib] Use bubblewraps new --disable-userns option when available
Summary: [GLib] Use bubblewraps new --disable-userns option when available
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-27 09:44 PST by Patrick Griffis
Modified: 2023-02-27 14:07 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Griffis 2023-02-27 09:44:16 PST 
Bubblewrap 0.8.0 released with a new feature that allows disabling namespaces without relying on syscall filters.

This should be more robust and make some classes of exploits impossible.

You can see a writeup on this feature here: https://github.com/containers/bubblewrap/pull/488
And usage of it here: https://github.com/flatpak/flatpak/pull/5084

One open question is do we hard depend on bwrap 0.8.0 or conditionally use this feature.
Comment 1 Michael Catanzaro 2023-02-27 11:10:16 PST 
(In reply to Patrick Griffis from comment #0)
> One open question is do we hard depend on bwrap 0.8.0 or conditionally use
> this feature.

Definitely should be conditional.
Comment 2 Adrian Perez 2023-02-27 14:07:58 PST 
(In reply to Michael Catanzaro from comment #1)
> (In reply to Patrick Griffis from comment #0)
> > One open question is do we hard depend on bwrap 0.8.0 or conditionally use
> > this feature.
> 
> Definitely should be conditional.

Or, check the output from “bwrap --version” at runtime. 

/me hides