|
|
|
|
|
|
by groks
3603 days ago
|
|
|
I agree, the tool is (currently) poorly documented. I would have appreciated something like this: bwrap --ro-bind / / id
bwrap --ro-bind /usr /usr \
--ro-bind /lib64 /lib64 \
id
bwrap --ro-bind /usr/bin/ps /usr/bin/ps \
--ro-bind /lib64 /lib64 \
--proc /proc \
ps -x
bwrap --ro-bind /usr/bin/ps /usr/bin/ps \
--ro-bind /lib64 /lib64 \
--proc /proc \
--unshare-pid \
ps -x
bwrap --ro-bind /usr/bin/echo /usr/bin/echo \
--ro-bind /lib64 /lib64 \
echo "to a file outside the container" > /tmp/a-file
bwrap --ro-bind /usr/bin/sh /usr/bin/sh \
--ro-bind /lib64 /lib64 \
--bind /tmp/a-file /tmp/a-file \
sh -c 'echo "editing inside, available outside" > /tmp/a-file'
But it's never going to be easy. For example:- The above works on my 64bit, combined /usr system, but maybe not yours. The more complicated the example, the more likely differences between systems are to show up. - You may want to run a program with different privileges in different scenarios, so it is hard to guess what the right thing to do is in the general case. Both bubblewrap and firejail need to be setuid. People commented on the firejail thread that it has a lot of code to be audited. Bubblewrap addresses that by stripping down to the essentials. It's going to have to compensate for that with great documentation and error messages. |
|
|