new release of the toolkit , designed to organize the work of isolated environments in Linux and operating at the application level of unprivileged users. In practice, Bubblewrap is used by the Flatpak project as a layer to isolate applications launched from packages. The project code is written in C and licensed under LGPLv2+.
For isolation, traditional Linux container virtualization technologies are used, based on the use of cgroups, namespaces (namespaces), Seccomp and SELinux. To perform privileged container setup operations, Bubblewrap is run as root (an executable file with the suid flag) with subsequent reset of privileges after the container is initialized.
Activation of user namespaces in the namespace system, which allows you to use your own separate set of identifiers in containers, is not required for operation, since it does not work by default in many distributions (Bubblewrap is positioned as a limited suid implementation of a subset of user namespaces capabilities - to exclude all user and process identifiers from the environment, except the current one, the CLONE_NEWUSER and CLONE_NEWPID modes are used). For additional protection, executable under control
Bubblewrap programs are launched in PR_SET_NO_NEW_PRIVS mode, which prohibits obtaining new privileges, for example, if the setuid flag is present.
Isolation at the filesystem level is done by creating a new mount namespace by default, in which an empty root partition is created using tmpfs. If necessary, partitions of an external FS are attached to this partition in the "mount --bind" mode (for example, when you start it with the "bwrap --ro-bind /usr /usr" option, the /usr partition is forwarded from the main system in read-only mode). Networking is limited to accessing the loopback interface with network stack isolation via the CLONE_NEWNET and CLONE_NEWUTS flags.
The key difference from a similar project , which also uses a setuid launch model, is that in Bubblewrap the container creation layer includes only the necessary minimum capabilities, and all the advanced functions required for running graphical applications, interacting with the desktop and filtering calls to Pulseaudio are outsourced Flatpak and are executed after the privileges have been reset. Firejail, on the other hand, combines all related functions in one executable file, which makes it difficult to audit and maintain security on .
The new release is notable for the implementation of support for joining existing user namespaces and process pid namespaces. To control the connection of namespaces, the β--usernsβ, β--userns2β and β-pidnsβ flags have been added.
This feature does not work in setuid mode and requires the use of a separate mode that can work without obtaining root rights, but requires activation
user namespaces on the system (disabled by default on Debian and RHEL/CentOS) and does not exclude the possibility for the "user namespaces" restrictions rim. New features of Bubblewrap 0.4 also include the ability to build with the musl C library instead of glibc and support for saving namespace information to a file with statistics in JSON format.
Source: opennet.ru