modules/programs: sandboxing: unshare ipc/cgroup/uts by default
This commit is contained in:
parent
2d7c5b9fa5
commit
548a95a7e1
|
@ -315,11 +315,16 @@ bwrapIngestCapability() {
|
||||||
# WIP
|
# WIP
|
||||||
|
|
||||||
bwrapExec() {
|
bwrapExec() {
|
||||||
|
# --unshare-all implies the following:
|
||||||
# --unshare-pid: mean that the /proc mount does not expose /proc/$PID/ for every other process on the machine.
|
# --unshare-pid: mean that the /proc mount does not expose /proc/$PID/ for every other process on the machine.
|
||||||
# --unshare-net creates a new net namespace with only the loopback interface.
|
# --unshare-net creates a new net namespace with only the loopback interface.
|
||||||
# if `bwrapFlags` contains --share-net, thiss is canceled and the program sees an unsandboxed network.
|
# if `bwrapFlags` contains --share-net, thiss is canceled and the program sees an unsandboxed network.
|
||||||
|
# --unshare-ipc
|
||||||
|
# --unshare-cgroup
|
||||||
|
# --unshare-uts
|
||||||
|
# --unshare-user (implicit to every non-suid call to bwrap)
|
||||||
PATH="$PATH:@bubblewrap@/bin" exec \
|
PATH="$PATH:@bubblewrap@/bin" exec \
|
||||||
bwrap --unshare-net --unshare-pid --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||||
"${cliArgs[@]}"
|
"${cliArgs[@]}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user