Fix bubblewrap
On some machines (like mine), `/proc` has to be mounted. Also, since sandboxing with bubblewrap is best effort and assumes that an attacker doesn't have control outside of the file to clean, it's safe to __try__ to enable some bubblewrap features, and to silently fail otherwise.
This commit is contained in:
parent
1678d37856
commit
3714553185
@ -49,8 +49,14 @@ def _get_bwrap_args(tempdir: str,
|
||||
|
||||
args = ro_bind_args + \
|
||||
['--dev', '/dev',
|
||||
'--proc', '/proc',
|
||||
'--chdir', cwd,
|
||||
'--unshare-all',
|
||||
'--unshare-user-try',
|
||||
'--unshare-ipc',
|
||||
'--unshare-pid',
|
||||
'--unshare-net',
|
||||
'--unshare-uts',
|
||||
'--unshare-cgroup-try',
|
||||
'--new-session',
|
||||
# XXX: enable --die-with-parent once all supported platforms have
|
||||
# a bubblewrap recent enough to support it.
|
||||
|
Loading…
x
Reference in New Issue
Block a user