New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use new --disable-userns bubblewrap feature when possible #5084
Conversation
d087ed2
to
b2d3cd6
Compare
531c843
to
e5c7e25
Compare
Note to self for testing uninstalled:
|
Our seccomp filtering necessarily adds overhead to each system call, which is undesirable for syscall-heavy workloads like graphically intensive games. This is currently incomplete. It depends on flatpak#5084, but also needs solutions to: - preventing ioctl TIOCSTI (CVE-2017-5226): at the moment this is done in a relatively crude way via bwrap --new-session - preventing access to the kernel keyring (see also flatpak#4281): at the moment this is unsolved Resolves: flatpak#4187 Signed-off-by: Simon McVittie <smcv@collabora.com>
I merged the bwrap code now, so we should try to get this in. |
Other than the rebase to a released bwrap this PR looks good to me now |
Great, please could you review containers/bubblewrap#545 if you have a chance? I think that one is a bwrap release blocker. |
merged that too |
* Improve error message if seccomp is disabled in kernel config * Add --disable-userns option (needed for flatpak#5084) * Add --assert-userns-disabled option (needed for flatpak#5084) Signed-off-by: Simon McVittie <smcv@collabora.com>
e5c7e25
to
676f49b
Compare
676f49b
to
8da10e9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy with this if other maintainers are. (@alexlarsson? @mwleeds?)
8da10e9
to
dbfbad9
Compare
Our seccomp filtering necessarily adds overhead to each system call, which is undesirable for syscall-heavy workloads like graphically intensive games. This is currently incomplete. It depends on flatpak#5084, but also needs solutions to: - preventing ioctl TIOCSTI (CVE-2017-5226): at the moment this is done in a relatively crude way via bwrap --new-session - preventing access to the kernel keyring (see also flatpak#4281): at the moment this is unsolved Resolves: flatpak#4187 Signed-off-by: Simon McVittie <smcv@collabora.com>
* Improve error message if seccomp is disabled in kernel config * Add --disable-userns option (needed for flatpak#5084) * Add --assert-userns-disabled option (needed for flatpak#5084) Signed-off-by: Simon McVittie <smcv@collabora.com>
dbfbad9
to
94005b1
Compare
This lets us use its new features unconditionally. Signed-off-by: Simon McVittie <smcv@collabora.com>
This feature (added in containers/bubblewrap#488) allows us to improve the guarantees of disallowing the sandbox to use recursive user namespaces (which is a security risk) compared to the existing limits that use seccomp. [smcv: Move this to flatpak_run_setup_base_argv() so it will apply equally in apply_extra_data() and `flatpak build`; make the compile-time check for a setuid bwrap into a runtime check] Co-authored-by: Simon McVittie <smcv@collabora.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
94005b1
to
81a2ef8
Compare
Last chance for anyone to object to this, otherwise I'll merge after CI finishes. |
[This now depends on #5325. —smcv]
build: Require bubblewrap 0.8.0
From: smcv
This lets us use its new features unconditionally.
Use new --disable-userns bubblewrap feature when possible
From: alexlarsson
This feature (added in Add an option to disable nested user namespaces by setting limit to 1 containers/bubblewrap#488)
allows us to improve the guarantees of disallowing the sandbox to use
recursive user namespaces (which is a security risk) compared to the
existing limits that use seccomp.
[smcv: Move this to flatpak_run_setup_base_argv() so it will apply
equally in apply_extra_data() and
flatpak build
; make the compile-timecheck for a setuid bwrap into a runtime check]
Co-authored-by: smcv