Open TimothyEBaldwin opened 6 years ago
LOL
$ bwrap --dev-bind / / cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000000000000000
CapAmb: 0000000000000000
$ unshare -r bwrap --dev-bind / / cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
$ unshare -r bwrap --dev-bind / / --cap-drop ALL cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
edit: Fedora 34, bubblewrap 0.4.1 non-suid
The man page states:
Additionally one would expect
--ro-bind
to prevent writing by the sandboxed process.However when started by uid 0 this is not the case and files can be written (assuming /tmp is a mount point):
unshare -Ur ./bwrap --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'
unshare -Ur ./bwrap --unshare-user --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'
This is supported by the comment on line 697 of bubblewrap.c.
So should
bwrap
behave as documented, or should the documentation be fixed?Also if caps are explicitly added:
./bwrap --unshare-user --uid 0 --cap-add ALL --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'
This could avoided by creating the final user namespace after setting up the mounts, which one might expect, but this creates other problems:
I suggest that this is documented, with a workaround of nesting
bwrap
.