Азалия Смарагдова
Азалия Смарагдова
Hello everyone! I propose using a private propagation instead of slave one for bind mounts (this is optional and done by --private option). It can theoretically enhance sandbox security as...
Hello everyone! I propose adding Landlock support to Bubblewrap. Landlock is a Linux security module officially introduced in Linux 5.13 kernel version that allows unprivileged processes to impose filesystem self-restrictions....
Hello everyone! I propose enabling a "No New Privileges" restriction and capabilities restrictions to the Waydroid container, as well as adding seccomp and AppArmor profiles. "No New Privileges" is a...
**Is your feature request related to a problem? Please describe.** Currently, AppArmor is widely used on desktops, however, Waydroid doesn't use AppArmor protection and sets the container processes to be...
Hello everyone! I've successfully installed Waydroid and some apps. However, I have a problem with Internet access. When I start the Waydroid session, Internet (both in Waydroid apps and ordinary...
Hello everyone! I propose removing CAP_SYS_MODULE from the capability bounding set. **Explanation**: POSIX capabilities are a way for granular management of superuser privileges in GNU/Linux systems. They allow granting some...
Hello everyone! I propose mounting the /proc directory inside the container with **hidepid=2** option. **Explanation**: The **hidepid** option of the **proc** filesystem restricts access to information about process status. It...
Hello everyone! I propose adding AppArmor profiles for the container. **Explanation**: AppArmor is a mandatory access control feature in the Linux kernel, an alternative to SELinux. It allows to restrict...
Hello everyone! Today, I've looked at the woof-CE source code, and found that it excessively uses insecure protocols that don't verify the integrity of received data and therefore vulnerable to...
Hello everyone! I propose adding the possibility to re-compile the kernel without Internet connection. This can be needed, because Puppy Linux is sometimes used on the old hardware, that may...