[Webkit-unassigned] [Bug 253002] New: [GLib] Use bubblewraps new --disable-userns option when available
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 27 09:44:16 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=253002
Bug ID: 253002
Summary: [GLib] Use bubblewraps new --disable-userns option
when available
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKitGTK
Assignee: webkit-unassigned at lists.webkit.org
Reporter: pgriffis at igalia.com
CC: bugs-noreply at webkitgtk.org
Bubblewrap 0.8.0 released with a new feature that allows disabling namespaces without relying on syscall filters.
This should be more robust and make some classes of exploits impossible.
You can see a writeup on this feature here: https://github.com/containers/bubblewrap/pull/488
And usage of it here: https://github.com/flatpak/flatpak/pull/5084
One open question is do we hard depend on bwrap 0.8.0 or conditionally use this feature.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230227/c2f81681/attachment.htm>
More information about the webkit-unassigned
mailing list