From 58773088ac1ee1fff8a2f1913442d68b2726daf6 Mon Sep 17 00:00:00 2001
From: madaidan <mad4n0n@protonmail.com>
Date: Sat, 21 Sep 2019 06:33:49 -0700
Subject: [PATCH] Mount a new tmpfs on /tmp and drop all capabilities

This mounts a new tmpfs on /tmp so any files residing there would be hidden
from the sandbox. Many programs store some files in there that might be useful
to an attacker.  It also drops all capabilities incase it is ever run with
extra capabilities for whatever reason.
---
 .gitlab-ci.yml        | 2 +-
 libmat2/subprocess.py | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 35bd62d..5713d5b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,7 +16,7 @@ linting:bandit:
   script:  # TODO: remove B405 and B314
     - bandit ./mat2 --format txt --skip B101
     - bandit -r ./nautilus/ --format txt --skip B101
-    - bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314
+    - bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314,B108
 
 linting:codespell:
   image: $CONTAINER_REGISTRY:linting
diff --git a/libmat2/subprocess.py b/libmat2/subprocess.py
index f1142be..fb6fc9d 100644
--- a/libmat2/subprocess.py
+++ b/libmat2/subprocess.py
@@ -51,6 +51,7 @@ def _get_bwrap_args(tempdir: str,
         ['--dev', '/dev',
          '--proc', '/proc',
          '--chdir', cwd,
+         '--tmpfs', '/tmp',
          '--unshare-user-try',
          '--unshare-ipc',
          '--unshare-pid',
@@ -58,6 +59,7 @@ def _get_bwrap_args(tempdir: str,
          '--unshare-uts',
          '--unshare-cgroup-try',
          '--new-session',
+         '--cap-drop', 'all',
          # XXX: enable --die-with-parent once all supported platforms have
          # a bubblewrap recent enough to support it.
          # '--die-with-parent',