[HN Gopher] Bubblewrap: Unprivileged sandboxing tool for Linux
___________________________________________________________________
Bubblewrap: Unprivileged sandboxing tool for Linux
Author : varbhat
Score : 103 points
Date : 2022-03-27 19:20 UTC (3 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| lvass wrote:
| >Also, @cgwalters thinks trying to whitelist file paths is a bad
| idea given the myriad ways users have to manipulate paths, and
| the myriad ways in which system administrators may configure a
| system.
|
| So you either get the entire filesystem or no file access? Isn't
| this a huge dealbreaker for almost everything?
| iancarroll wrote:
| I think this is just a comment on Firejail's implementation, as
| I think Firejail runs as root and thus must enforce its own
| permission checks.
|
| It seems like bubblewrap uses a mount namespace created by the
| current user which would allow controlling access without any
| special checks.
| dj_gitmo wrote:
| I'm running firejail now and It doesn't look like it runs as
| root.
| anderspitman wrote:
| Correct, it is an SUID executable[0], as is bubblewrap.
|
| [0]: https://en.m.wikipedia.org/wiki/Setuid
| emmelaich wrote:
| Better to use selinux than path whitelisting.
| lapinot wrote:
| Does anyone know if it's possible to configure bubblewrap to
| attach to an existing namespace (network namespace in my case)?
| I'm selfhosting stuff and wanted a diy container runtime but i
| can't seem to isolate stuff from the system and still retain some
| linking between some parts (ie doing stuff like what a docker-
| compose file specifies).
| akvadrako wrote:
| This seems to be the best of breed and it basically the same
| thing used by flatpak.
| makeworld wrote:
| My understanding is that this is exactly what flatpak uses.
| jamesdutc wrote:
| Bubblewrap is a surprisingly useful tool for general system
| administration tasks.
|
| Even though the documentation claims that "[y]ou are unlikely to
| use it directly from the commandline, although that is possible,"
| I use it as a helper tool in this mode very frequently.
|
| This can be very useful for debugging since, for example, you can
| `bwrap --ro-bind / / --tmpfs ~ $SHELL` to get a "clean" shell in
| which you can isolate yourself from the effect of configuration
| dotfiles and can even `--ro-bind my-hosts /etc/hosts` to simulate
| certain system-level state (without requiring a full VM, heavier
| container, or root access.)
|
| Of course, I've also written some simple shell scripts around
| `bwrap` to make this all a bit simpler (since this quickly
| reaches `qemu`-levels of argv proliferation.)
| LinuxBender wrote:
| This looks like a very useful tool especially for isolating old
| unsupported daemons and not having to write really complex
| selinux rules especially in places where others are tempted to
| just set selinux permissive. And not just because I like
| bubblewrap IRL.
|
| I see there are a few usage examples [1] out there. Are there any
| bigger collections of examples that people have run across?
|
| [1] - https://wiki.archlinux.org/title/Bubblewrap
| anderspitman wrote:
| Still requires SUID. It makes no sense to have to increase
| privileges in order to be able to decrease privileges. Any
| process should be able to spawn a child process with strictly
| lesser privileges, including granular cpu, memory, network, and
| filesystem (including path and size restrictions) access. It's
| sad there isn't a simple, standard cross-platform API for doing
| this.
|
| I would be fine having to rewrite my apps to take advantage of
| some fancy capabilities-based security paradigm, but give me
| realistic APIs to do so.
|
| I'm currently experimenting with shipping apps as QEMU VMs,
| packaging QEMU and a minimal kernel with the app. It works
| surprisingly well, even on Windows with full x86 emulation. And
| with their newish WHPX API (basically kvm for Windows) the future
| might be really exciting.
|
| EDIT: Someone on the Firejail thread says bubblewrap can be
| compiled non-SUID and that's the common usage these days. I need
| to look into this more.
| mwcampbell wrote:
| I've also been looking into shipping apps as VM images with a
| minimal kernel. Do you know if WHPX requires the user to have
| admin rights? On the host side, Windows and Mac ports of crosvm
| [1] could be useful. crosvm seems to have all the necessary
| virtio device types, but a greater focus on security than QEMU.
|
| [1]: https://google.github.io/crosvm/
| dang wrote:
| Related:
|
| _Bubblewrap: Unprivileged sandboxing tool_ -
| https://news.ycombinator.com/item?id=12241971 - Aug 2016 (8
| comments)
| skywal_l wrote:
| "How does it compare to firejail?" you were going to ask:
| https://github.com/containers/bubblewrap#related-project-com....
|
| You're welcome.
| mstef wrote:
| some time ago i made a comparison between different jailing
| tools: https://ctrlc.hu/~stef/jails.txt
___________________________________________________________________
(page generated 2022-03-27 23:00 UTC)