bubblewrap
bubblewrap copied to clipboard
containers
Low-level unprivileged sandboxing tool used by Flatpak and similar projects
i actually started recently to mess with renpy to create minigame, and i do wand to sandbox it, i'm using the settings after : There is two problem first it's...
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed...
I am trying to wrap a app that needs to setup its own loop device, roughly it does: 1. create a file.img 2. `mknod /dev/loopN ...` (cause `/dev` is either...
Hello, Is bwrap suitable for sandboxing apps/users in LXC environment? If yes - any special flag for it? ``` # su - test -s /usr/bin/bwshell Last login: Mon Mar 30...
Hello everyone! I propose using a private propagation instead of slave one for bind mounts (this is optional and done by --private option). It can theoretically enhance sandbox security as...
Hello everyone! I propose adding Landlock support to Bubblewrap. Landlock is a Linux security module officially introduced in Linux 5.13 kernel version that allows unprivileged processes to impose filesystem self-restrictions....
When I run bwrap with `--dev /dev`, I can't listen on a privileged port like 80. Here's an example, with an strace to show that the `bind` system call is...
Hello, for my use case I need to run `bwrap` as root user with a user namespace that has more than 1 uid in uid_map. I've tried to create a...
Simple example: ```bash $ bwrap --ro-bind / / --bind . /here true bwrap: Can't mkdir /here: Read-only file system ``` This can be worked around by creating the target directory...
When bwrap is called with thousands of "--bind" arguments on the command line, it slows down considerably. It looks like /proc/self/mountinfo is parsed for every single "--bind" flag. Must that...
Metadata
Owner
Metadata
Low-level unprivileged sandboxing tool used by Flatpak and similar projects