Release BubbleWrap 0.5.0, layers to create isolated environments

available Release tools to organize the work of isolated environments BubbleWrap 0.5.0 , usually used to limit individual applications of unprivileged users. In practice, BubbleWrap is used by the FlatPak project as a layer for isolation of the application packages running from packages. The project code is written in the SI language and it extends under the LGPLv2 + license.

Isolation is used traditional container virtualization technologies for Linux Use Cgroups, namespaces, SECCOMP and SELINUX. To perform privileged, the BubbleWrap container setup operations is running with the root (executable file with the SUID flag), followed by resetting privileges after completing the initialization of the container.

Activation in the system of user identifiers of the user (User Namespaces), allowing you to use our own separate set of identifiers in containers, it is not required to work, since the default does not work in many distributions (BubbleWrap is positioned as a limited suid-implement subset of user namespaces – To eliminate all identifiers of users and processes from the environment, except for the current, Clone_Newuser and Clone_NewPID modes are used). For additional protection, the programs executed running bubblewrap program are run in PR_SET_NO_NEW_PRIVS mode, which prohibits the receipt of new privileges, for example, in the presence of the SETUID flag.

Insulation at the file system level is made through the creation of a new namespace default namespace (Mount NameSpace), in which using TMPFS is created by an empty root section. In this section, if necessary, the external FS sections are attached in the “Mount –Bind” mode (for example, when you start the “Bwrap –ro-bind / usr / usr” option, the / usr section is processed from the main system in read-only mode). Network capabilities are limited to access to a loopback interface with a network stack insulation through the clone_newnet flags and Clone_News.

The key difference from the Firejail project, which also uses the start-up model using the SetUID, is that the BubbleWrap layer for creating containers includes only the necessary minimum features, and all extended functions needed to run graphic applications, interactions with the desktop And filtering appeals to PulseAudio, put on the side of Flatpak and are executed after the privilege reset. FireJail combines all associated features in one executable file, which complicates its audit and maintain safety at the proper level.

In the new release, options are: “–chmod” to change access rights, “–clearenv” to clean the environment variables (except PWD) and “–perms” to determine the access rights used when performing operations “- BIND-DATA “,” –DIR “,” –File “,” –ro-bind-data “and” –tmpfs “. Improved diagnostics of problems arising when mounting in BIND mode. For ZSH added support for automatic commands by pressing tabulation.

/Media reports.