security-and-privacy/mat2
security-and-privacy/mat2
1
0
Fork 0
mirror of synced 2025-07-03 03:47:20 +02:00
Code Releases Activity

Mount a new tmpfs on /tmp and drop all capabilities

Browse source 
This mounts a new tmpfs on /tmp so any files residing there would be hidden
from the sandbox. Many programs store some files in there that might be useful
to an attacker.  It also drops all capabilities incase it is ever run with
extra capabilities for whatever reason.
This commit is contained in:
madaidan 2019-09-21 06:33:49 -07:00 committed by jvoisin
parent 3714553185
commit 58773088ac
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
libmat2/subprocess.py
View file

@ -51,6 +51,7 @@ def _get_bwrap_args(tempdir: str,
['--dev', '/dev',
'--proc', '/proc',
'--chdir', cwd,
'--tmpfs', '/tmp',
'--unshare-user-try',
'--unshare-ipc',
'--unshare-pid',
@ -58,6 +59,7 @@ def _get_bwrap_args(tempdir: str,
'--unshare-uts',
'--unshare-cgroup-try',
'--new-session',
'--cap-drop', 'all',
# XXX: enable --die-with-parent once all supported platforms have
# a bubblewrap recent enough to support it.
# '--die-with-parent',