Published a new version of the tools for organizing the work of isolated environment bubblewrap 0.11 used to limit individual applications of unprivileged users. In practice, BubbleWrap is used by the Flatpak project as a layer to isolate applications launched from packages. For isolation, container virtualization technologies based on the use of CGROUPS, names, secComp and Selinux are used. The project code is written in the language of si and is distributed under the license lgplv2+.
BubbleWrap launches with Root (executable file with a SUID flag) with the subsequent discharge of privileges after completing the initialization and configuration of the container. Instead of the user identifiers (user Namespace), which are disabled by default in most distributions, the Suid-realeization of some USRPASPACES capabilities is involved in BubbleWrap. Additionally, to exclude all unnecessary user identifiers and processes from the created isolated environment, Clone_newuser (user Namespace) and Clone_newpid (PID Namespace) modes can be used. For additional protection, the programs are launched in PR_SET_NO_NEW_PRIVS prohibiting the receipt of new privileges, for example, with the SETUID flag.
Isolation at the file system level is carried out through the default of a new space of names of mounting points (Mount Namespace), in which an empty root section is created using TMPFS. In this section, if necessary, sections of the external FS in the “Mount –Bind” mode are attached (for example, when the “BWRAP-BIND /USR /USR” section is launched by the BWRAP-Bind /user option, the section /usr is discharged from the main system for reading only). Network capabilities are limited to access to the LOOPBACK interface with insulation of the network stack through the Clone_newnet and Clone_newuts flags.
The key difference from the similar Firejail project, which also uses the launch model using Setuid, is that in BubbleWrap the layer to create containers includes only the necessary minimum capabilities, and all the extended functions necessary for launching graphic applications, interaction with the desktop And filtration of appeals to Pulseaudio, are made to the side of Flatpak and are performed after discarding privileges. Firejail combines in one executable file all related functions, which complicates its audit and maintaining security at the proper