A release of the Bubblewrap 0.8 Sandboxing Toolkit is now available, typically used to restrict individual applications to unprivileged users. In practice, Bubblewrap is used by the Flatpak project as a layer to isolate applications launched from packages. The project code is written in C language and distributed under the LGPLv2+ license.
For isolation, traditional Linux container virtualization technologies are used, based on the use of cgroups, namespaces (namespaces), Seccomp and SELinux. To perform privileged container setup operations, Bubblewrap is run as root (an executable file with the suid flag) with subsequent reset of privileges after the container is initialized.
Activating user namespaces in the system of namespaces, which allow containers to use their own separate set of identifiers, is not required for work, since it does not work by default in many distributions (Bubblewrap is positioned as a limited suid implementation of a subset of user namespaces capabilities - to exclude all user and process IDs from the environment, except the current one, use the CLONE_NEWUSER and CLONE_NEWPID modes). For added protection, programs running under Bubblewrap run in the PR_SET_NO_NEW_PRIVS mode, which prevents new privileges from being acquired, for example, if the setuid flag is present.
Isolation at the filesystem level is done by creating a new mount namespace by default, in which an empty root partition is created using tmpfs. If necessary, partitions of an external FS are attached to this partition in the "mount --bind" mode (for example, when you start it with the "bwrap --ro-bind /usr /usr" option, the /usr partition is forwarded from the main system in read-only mode). Networking is limited to accessing the loopback interface with network stack isolation via the CLONE_NEWNET and CLONE_NEWUTS flags.
The key difference from a similar project, Firejail, which also uses a setuid launch model, is that in Bubblewrap, the containerization layer includes only the bare minimum of features, and all the advanced features needed to launch graphical applications, interact with the desktop, and filter hits. to Pulseaudio, are moved to the Flatpak side and are executed after the privileges are reset. Firejail, on the other hand, combines all related functions in one executable file, which makes it difficult to audit and maintain security at the proper level.
In the new release:
- Added "--disable-userns" option to disable sandbox environment from creating its own nested user namespace.
- Added "--assert-userns-disabled" option to check that using the "--disable-userns" option uses the existing user ID space.
- Improved informativeness of error messages related to disabling the CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER settings in the kernel.
Source: opennet.ru