Document possible sandbox restriction #370
Conversation
|
Can one of the admins verify this patch?
|
|
Since nothing happened here, I am not sure I missed something. Do I need to tell the bot a command? |
|
I don't understand this addition. The section you added to talks about the security of bubblewrap itself on a system. I.e. as a sysadmin i need to consider: is there an increased risk in installing the bwrap package on a system (it can be setuid root after all). What does this have to do with browsers or other apps restricting themselves? |
|
It's true to say that for programs like web browsers, which aim to enforce a security boundary within themselves (between the UI and the web content), a program running inside a bubblewrap sandbox is less able to enforce that security boundary than a program running on the host system. However, it's deeply misleading to say that in a paragraph that is otherwise talking about whether bubblewrap undermines the security boundary between ordinary users and root, or between one user and another. The Security section of the README is currently only talking about this security boundary, and the bubblewrap vulnerabilities that were fixed in the past, like CVE-2020-5291, were flaws in this boundary. If you want the README to talk about both of those security boundaries, then it needs to be as clear as possible which one you're talking about at any given moment. There is a third interesting security boundary, between the code that is run inside the bubblewrap sandbox and the code that runs outside. Enforcing this boundary is not bubblewrap's job: it provides mechanisms that a caller could use to enforce this boundary, but not all callers even want to do that, and bubblewrap does not force them to. For example, most Flatpak apps are designed to protect processes outside the sandbox, but a few Flatpak apps like gnome-builder are designed to be able to be allowed to execute arbitrary code outside the sandbox. |
brandsimon
force-pushed
the
sbr/document_sandbox_restriction
branch
from
5fc0889 to
16190ac
Compare
|
I agree with you, valid point! I changed the PR and split the two sections. |
brandsimon
force-pushed
the
sbr/document_sandbox_restriction
branch
5 times, most recently
from
e1d194c to
3ed6a20
Compare
|
I rebased the branch and reworked the section. (Thank you @hartwork for your help). |
Signed-off-by: Simon Brand <simon.brand@postadigitale.de>
brandsimon
force-pushed
the
sbr/document_sandbox_restriction
branch
from
3ed6a20 to
4b8d81a
Compare
As explained here: #279 (comment)_
I document this, since it is an information I wanted when first having contact with this tool.
Besides that, I had a lot of fun with it, thank you to all of the contributors!