Release BubbleWrap 0.6, layers for creating isolated environments

Available Release tools for organizing the operation of isolated environments Bubblewrap 0.6 , usually used to limit individual applications of unprivileged users. In practice, BubbleWrap is used by the FlatPAK project as a layer for isolating the application packages. The project code is written in the SI language and it extends under LGPLV2 + license.

Isolation is used traditional container virtualization technology for Linux Using CGroups, namespaces, SECCOMP and SELINUX. To perform privileged BubbleWrap container configuration operations, starts with the ROOT (executable file with the SUID flag), followed by resetting privileges after completing the container initialization.

Activation in the system of user identifiers of the user (User namespaces), allowing you to use our own separate identifier set in containers, it is not required to work, since the default does not work in many distributions (BubbleWrap is positioned as limited suid-implementing a subset of user namespaces – To eliminate all identifiers of users and processes from the environment, except the current, the clone_newuser and clone_newpid modes are used). For additional protection, the programs executed running bubblewrap are started in PR_SET_NO_NEW_PRIVS mode, which prohibits the receipt of new privileges, for example, if there is a SETUID flag.

Isolation at the file system level is made through the creation of a new namespace default namespace (Mount Namespace), in which using TMPFS is created by an empty root section. In this section, if necessary, the partitions of the external FS in the “MOUNT –BIND” mode are attached (for example, when you start the “BWrap –ro-Bind / usr / usr” option, the / usr section is prohibited from the main system in read-only mode). Network capabilities are limited to access to the loopback interface with a network stack insulation through the clone_newnet flags and clone_newuts.

The key honors from the Firejail project, which also uses the start-up model using the SetUID, is that the BubbleWrap layer for creating containers includes only the necessary minimum possibilities, and all extended functions needed to start graphic applications, interactions with the desktop And filtering contacts to Pulseaudio, put on the side of Flatpak and are executed after resetting privileges. FireJail combines all related functions in one executable file, which complicates its audit and maintain safety at the proper level.

In the new release:

  • Added support for the Meson assembly system. Assembly support using AutoTools is still saved, but will be removed in one of the following issues.
  • is implemented option “–Add-Seccomp” to add more than one SECComp program. Added a warning that when repeatedly specified the “–Seccomp” option will be applied only the last parameter.
  • Master branch in the Git repository is renamed Main.

/Media reports.