Can't run bubblewrap inside bubblewrap when using --cap-add

[L-as]

These work: bwrap --dev-bind / / --cap-add ALL -- chroot / sh bwrap --dev-bind / / -- bwrap --dev-bind / / -- sh This doesn't: bwrap --dev-bind / / --cap-add ALL -- bwrap --dev-bind / / -- sh It tells me: bwrap: Unexpected capabilities but not setuid, old file caps config?

I am using bubblewrap from NixOS, so it's not setuid and has no capabilities or other special permissions.

Is this supposed not to work? It seems to be triggered by this piece of code; is it insecure if bubblewrap somehow has capabilities set by a parent bubblewrap? Can't the capabilities somehow be dropped?

[gasinvein]

Looks like the same issue as #380

[L-as]

FWIW I removed the check and it works fine now, but I don't know if it's secure.

[MagicRB]

mentioned "fix" still works :)