search

containers / bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects
Other
3.97k stars 237 forks source link

Default behaviour of `--cap-drop` #561

Open cgzones opened 1 year ago

cgzones commented 1 year ago

The documentation of --cap-drop states:

By default no caps are left in the sandboxed process.

That seems not to be true:

id
uid=0(root) gid=0(root) groups=0(root)

getpcaps $$
14257: =ep

bwrap --bind / / sh -c 'getpcaps $$'
15598: =ep

bwrap --bind / / --cap-drop ALL sh -c 'getpcaps $$'
15577: =
smcv commented 1 year ago

This might be related to #122 and #123.

rusty-snake commented 1 year ago

Similiar: #287