modules/programs: sandboxing: unshare ipc/cgroup/uts by default
This commit is contained in:
parent
2d7c5b9fa5
commit
548a95a7e1
|
@ -315,11 +315,16 @@ bwrapIngestCapability() {
|
|||
# WIP
|
||||
|
||||
bwrapExec() {
|
||||
# --unshare-all implies the following:
|
||||
# --unshare-pid: mean that the /proc mount does not expose /proc/$PID/ for every other process on the machine.
|
||||
# --unshare-net creates a new net namespace with only the loopback interface.
|
||||
# if `bwrapFlags` contains --share-net, thiss is canceled and the program sees an unsandboxed network.
|
||||
# --unshare-ipc
|
||||
# --unshare-cgroup
|
||||
# --unshare-uts
|
||||
# --unshare-user (implicit to every non-suid call to bwrap)
|
||||
PATH="$PATH:@bubblewrap@/bin" exec \
|
||||
bwrap --unshare-net --unshare-pid --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||
bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||
"${cliArgs[@]}"
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user