diff options
| author | jvoisin | 2019-09-21 14:14:39 +0200 |
|---|---|---|
| committer | jvoisin | 2019-09-21 14:14:39 +0200 |
| commit | 37145531854879081fddd6019bdb9ba693210cf2 (patch) | |
| tree | 6f7043feea68514664910cdcd1a1e0502c8f35ba | |
| parent | 1678d378562b0825707e08352d3cdc10e8a9c4f8 (diff) | |
Fix bubblewrap
On some machines (like mine), `/proc` has to be mounted. Also, since
sandboxing with bubblewrap is best effort and assumes that an attacker doesn't
have control outside of the file to clean, it's safe to __try__ to enable some
bubblewrap features, and to silently fail otherwise.
| -rw-r--r-- | libmat2/subprocess.py | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libmat2/subprocess.py b/libmat2/subprocess.py index cf24176..f1142be 100644 --- a/libmat2/subprocess.py +++ b/libmat2/subprocess.py | |||
| @@ -49,8 +49,14 @@ def _get_bwrap_args(tempdir: str, | |||
| 49 | 49 | ||
| 50 | args = ro_bind_args + \ | 50 | args = ro_bind_args + \ |
| 51 | ['--dev', '/dev', | 51 | ['--dev', '/dev', |
| 52 | '--proc', '/proc', | ||
| 52 | '--chdir', cwd, | 53 | '--chdir', cwd, |
| 53 | '--unshare-all', | 54 | '--unshare-user-try', |
| 55 | '--unshare-ipc', | ||
| 56 | '--unshare-pid', | ||
| 57 | '--unshare-net', | ||
| 58 | '--unshare-uts', | ||
| 59 | '--unshare-cgroup-try', | ||
| 54 | '--new-session', | 60 | '--new-session', |
| 55 | # XXX: enable --die-with-parent once all supported platforms have | 61 | # XXX: enable --die-with-parent once all supported platforms have |
| 56 | # a bubblewrap recent enough to support it. | 62 | # a bubblewrap recent enough to support it. |