rusty-snake
commented
4 months ago Expected behavior with kernel.unprivileged_userns_clone = 0 and bwrap-suid. The userns of the sandbox is owned by root and bubblejail has no PTRACE_MODE_READ on it.
Closed random183 closed 4 months ago
rusty-snake
commented
4 months ago Expected behavior with kernel.unprivileged_userns_clone = 0 and bwrap-suid. The userns of the sandbox is owned by root and bubblejail has no PTRACE_MODE_READ on it.
igo95862
commented
4 months ago @rusty-snake is correct. With the SUID bubblewrap the namespace is privileged and no user process can join it.
Maybe I should add a warning to the GUI and man pages about this.
Output of
bubblejail --version0.9.0
Your distro name and version
Archlinux, kernel: 6.9.9-hardened1
Description
Hello, When Bubblejail tries to set up network via slirp4netns, it crashes with the following error: bubblejail_backtrace.txt the parent process tries to read the file
/proc/{pid}/ns/netand gets a permission denied error. On the kernel i'm using, this file (or link) is for some reason not readable from outside the sandbox, but can be read from within the sandbox (tested with a shell inside the sandbox). Perhaps the error can be resolved, if the child process inside the sandbox would read this file then communicate it out via a socket.Thank you. Bubblejail is pretty neat :+1: