For isolation, traditional Linux container virtualization technologies are used, based on the use of cgroups, namespaces (namespaces), Seccomp and SELinux. To perform privileged container setup operations, Bubblewrap is run as root (an executable file with the suid flag) with subsequent reset of privileges after the container is initialized.
Activation of user namespaces in the namespace system, which allows you to use your own separate set of identifiers in containers, is not required for operation, since it does not work by default in many distributions (Bubblewrap is positioned as a limited suid implementation of a subset of user namespaces capabilities - to exclude all user and process identifiers from the environment, except the current one, the CLONE_NEWUSER and CLONE_NEWPID modes are used). For additional protection, executable under control
Bubblewrap programs are launched in PR_SET_NO_NEW_PRIVS mode, which prohibits obtaining new privileges, for example, if the setuid flag is present.
Isolation at the filesystem level is done by creating a new mount namespace by default, in which an empty root partition is created using tmpfs. If necessary, partitions of an external FS are attached to this partition in the "mount --bind" mode (for example, when you start it with the "bwrap --ro-bind /usr /usr" option, the /usr partition is forwarded from the main system in read-only mode). Networking is limited to accessing the loopback interface with network stack isolation via the CLONE_NEWNET and CLONE_NEWUTS flags.
The key difference from a similar project
The new release is notable for the implementation of support for joining existing user namespaces and process pid namespaces. To control the connection of namespaces, the β--usernsβ, β--userns2β and β-pidnsβ flags have been added.
This feature does not work in setuid mode and requires the use of a separate mode that can work without obtaining root rights, but requires activation
user namespaces on the system (disabled by default on Debian and RHEL/CentOS) and does not exclude the possibility
Source: opennet.ru