A release of the Bubblewrap 0.6 Sandboxing Toolkit is now available, typically used to restrict individual applications to unprivileged users. In practice, Bubblewrap is used by the Flatpak project as a layer to isolate applications launched from packages. The project code is written in C language and distributed under the LGPLv2+ license.
For isolation, traditional Linux container virtualization technologies are used, based on the use of cgroups, namespaces (namespaces), Seccomp and SELinux. To perform privileged container setup operations, Bubblewrap is run as root (an executable file with the suid flag) with subsequent reset of privileges after the container is initialized.
Activating user namespaces in the system of namespaces, which allow containers to use their own separate set of identifiers, is not required for work, since it does not work by default in many distributions (Bubblewrap is positioned as a limited suid implementation of a subset of user namespaces capabilities - to exclude all user and process IDs from the environment, except the current one, use the CLONE_NEWUSER and CLONE_NEWPID modes). For added protection, programs running under Bubblewrap run in the PR_SET_NO_NEW_PRIVS mode, which prevents new privileges from being acquired, for example, if the setuid flag is present.
Isolation at the filesystem level is done by creating a new mount namespace by default, in which an empty root partition is created using tmpfs. If necessary, partitions of an external FS are attached to this partition in the "mount --bind" mode (for example, when you start it with the "bwrap --ro-bind /usr /usr" option, the /usr partition is forwarded from the main system in read-only mode). Networking is limited to accessing the loopback interface with network stack isolation via the CLONE_NEWNET and CLONE_NEWUTS flags.
The key difference from a similar project, Firejail, which also uses a setuid launch model, is that in Bubblewrap, the containerization layer includes only the bare minimum of features, and all the advanced features needed to launch graphical applications, interact with the desktop, and filter hits. to Pulseaudio, are moved to the Flatpak side and are executed after the privileges are reset. Firejail, on the other hand, combines all related functions in one executable file, which makes it difficult to audit and maintain security at the proper level.
In the new release:
- Added support for the Meson assembly system. Support for building with Autotools has been retained for now, but will be removed in a future release.
- Implemented "--add-seccomp" option to add more than one seccomp program. Added a warning that if you specify the "--seccomp" option again, only the last parameter will be applied.
- The master branch in the git repository has been renamed to main.
- Added partial support for the REUSE specification, which unifies the process of specifying license and copyright information. Many code files have SPDX-License-Identifier headers added. Following the REUSE guidelines makes it easier to automatically determine which license applies to which parts of the application code.
- Added checking the value of the command line argument counter (argc) and implemented an emergency exit if the counter is zero. The change helps block security issues caused by incorrect handling of passed command line arguments, such as CVE-2021-4034 in Polkit.
Source: opennet.ru