security-and-privacy/mat2
security-and-privacy/mat2
1
0
Fork 0
mirror of synced 2024-11-24 18:24:23 +01:00
Code Releases Activity

Fix bubblewrap

Browse Source 
On some machines (like mine), `/proc` has to be mounted.  Also, since
sandboxing with bubblewrap is best effort and assumes that an attacker doesn't
have control outside of the file to clean, it's safe to __try__ to enable some
bubblewrap features, and to silently fail otherwise.
This commit is contained in:
jvoisin 2019-09-21 14:14:39 +02:00
parent 1678d37856
commit 3714553185
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libmat2/subprocess.py
View File

@ -49,8 +49,14 @@ def _get_bwrap_args(tempdir: str,
args = ro_bind_args + \
['--dev', '/dev',
'--proc', '/proc',
'--chdir', cwd,
'--unshare-all',
'--unshare-user-try',
'--unshare-ipc',
'--unshare-pid',
'--unshare-net',
'--unshare-uts',
'--unshare-cgroup-try',
'--new-session',
# XXX: enable --die-with-parent once all supported platforms have
# a bubblewrap recent enough to support it.