Available Issue for organizing the work of isolated environment Bubblewrap 0.8 , usually used to limit individual applications of unwilling users. In practice, BubbleWrap is used by the Flatpak project as a layer to isolate applications launched from packages. The project code is written in the language of si and is distributed under the license lgplv2+.
for isolation, traditional for Linux technology of container virtualization, based on Using CGROUPS, Namespace spaces (Namespaces), SecCPP and SELINUX. To perform privileged operations to configure the BubbleWrap container, it is launched with Root (executable file with a SUID flag) with the subsequent discharge of privileges after completing the container initialization.
Activation in the user identifiers of the user identifiers (user namespaces) that allow the use of their own separate set of identifiers in containers is not required to work, since by default it does not work in many distributions (BubbleWrap is positioned as a limited sid-re Hower of user namespaces – To exclude all user identifiers and processes from the environment, in addition to the current, the Clone_newuser and Clone_newpid modes are used. For additional protection, the programs executed by the BubbleWrap are launched in PR_Set_NO_NEW_PRIVS prohibiting the receipt of new privileges, for example, if there is a SETUID flag.
Isolation at the file system level is carried out through the default of a new space of names of mounting points (Mount Namespace), in which an empty root section is created using TMPFS. In this section, if necessary, sections of the external FS in the “Mount –Bind” mode are attached (for example, when the “BWRAP-BIND /USR /USR” section is launched by the BWRAP-Bind /user option, the section /usr is discharged from the main system for reading only). Network capabilities are limited to access to the LOOPBACK interface with insulation of the network stack through the Clone_newnet and Clone_newuts flags.
The key difference from the similar Firejail project, which also uses the launch model using Setuid, is that in BubbleWrap the layer to create containers includes only the necessary minimum capabilities, and all the extended functions necessary for launching graphic applications, interaction with the desktop And filtration of appeals to Pulseaudio, are made to the side of Flatpak and are performed after discarding privileges. Firejail combines in one executable file all related functions, which complicates its audit and maintaining security at the proper level.
In the new issue:
- Added option “-disable-Userns” Disableing the creation of user identifiers in the Sandbox-reduction of its invested space
(User Namespace). - Added option “–SSSERT-USERNS-disabled” for checks , which is used by the option “- Disable-Userns “involved the existing space of user identifiers.
- Information of errors related to the disconnection in the Nucleus of the Config_Seccomp and Config_Secomp_Filter.