Paragis
Paragis
I also would like to know if there is any progress with this. Since electron6 there is a sandbox mode by default which requires the ability to run suid files....
After playing a little bit with the kernel.unprivileged_userns_clone flag I was wondering if this could be useful. When running a kernel with unprivileged user namespaces disabled, a suid bwrap cannot...
Thanks for the comment. Regarding the first idea with setting the ns flag, I agree. In regards to the capability option I am not sure if I am misunderstood. There...
Thinking about this the option 3 is only secure if the caps are dropped by default, which is probably why this is what bwrap does ... This still reduces the...
> > user namespace capability is used on all sandbox tools (bwrap, chrome-sandbox etc.) allowing bwrap to run as unprivileged* process with the option to not drop this capability to...
Thanks for explaining.