[Webkit-unassigned] [Bug 253002] New: [GLib] Use bubblewraps new --disable-userns option when available

Mon Feb 27 09:44:16 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=253002

            Bug ID: 253002
           Summary: [GLib] Use bubblewraps new --disable-userns option
                    when available
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: pgriffis at igalia.com
                CC: bugs-noreply at webkitgtk.org

Bubblewrap 0.8.0 released with a new feature that allows disabling namespaces without relying on syscall filters.

This should be more robust and make some classes of exploits impossible.

You can see a writeup on this feature here: https://github.com/containers/bubblewrap/pull/488
And usage of it here: https://github.com/flatpak/flatpak/pull/5084

One open question is do we hard depend on bwrap 0.8.0 or conditionally use this feature.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230227/c2f81681/attachment.htm>