From 37145531854879081fddd6019bdb9ba693210cf2 Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Sat, 21 Sep 2019 14:14:39 +0200
Subject: [PATCH] Fix bubblewrap

On some machines (like mine), `/proc` has to be mounted.  Also, since
sandboxing with bubblewrap is best effort and assumes that an attacker doesn't
have control outside of the file to clean, it's safe to __try__ to enable some
bubblewrap features, and to silently fail otherwise.
---
 libmat2/subprocess.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libmat2/subprocess.py b/libmat2/subprocess.py
index cf24176..f1142be 100644
--- a/libmat2/subprocess.py
+++ b/libmat2/subprocess.py
@@ -49,8 +49,14 @@ def _get_bwrap_args(tempdir: str,
 
     args = ro_bind_args + \
         ['--dev', '/dev',
+         '--proc', '/proc',
          '--chdir', cwd,
-         '--unshare-all',
+         '--unshare-user-try',
+         '--unshare-ipc',
+         '--unshare-pid',
+         '--unshare-net',
+         '--unshare-uts',
+         '--unshare-cgroup-try',
          '--new-session',
          # XXX: enable --die-with-parent once all supported platforms have
          # a bubblewrap recent enough to support it.