Contrary to documentation Bubblewrap leaves mount capability available.

The man page states:

By default no caps are left in the sandboxed process.

Additionally one would expect --ro-bind to prevent writing by the sandboxed process.

However when started by uid 0 this is not the case and files can be written (assuming /tmp is a mount point):

unshare -Ur ./bwrap --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'

unshare -Ur ./bwrap --unshare-user --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'

This is supported by the comment on line 697 of bubblewrap.c.

If our uid is 0, default to inheriting all caps; the caller can drop them via --cap-drop. This is used by at least rpm-ostree. Note this needs to happen before the argument parsing of --cap-drop.

So should bwrap behave as documented, or should the documentation be fixed?

Also if caps are explicitly added: ./bwrap --unshare-user --uid 0 --cap-add ALL --ro-bind / / sh -c 'mount -obind,remount,rw /tmp; touch /tmp/test'

This could avoided by creating the final user namespace after setting up the mounts, which one might expect, but this creates other problems:

Unshare PID before unshare USER, PID namespace is owned by wrong user namespace.
Mount /proc before unshare PID, /proc has wrong PID namespace.
Unshare USER before mount /proc, /proc can be unmounted.

I suggest that this is documented, with a workaround of nesting bwrap.

containers / bubblewrap

Contrary to documentation Bubblewrap leaves mount capability available. #287