Mount a new tmpfs on /tmp and drop all capabilities

This mounts a new tmpfs on /tmp so any files residing there would be hidden
from the sandbox. Many programs store some files in there that might be useful
to an attacker.  It also drops all capabilities incase it is ever run with
extra capabilities for whatever reason.

2 files changed, 3 insertions, 1 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 35bd62d..5713d5b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,7 +16,7 @@ linting:bandit:
   script:  # TODO: remove B405 and B314
     - bandit ./mat2 --format txt --skip B101
     - bandit -r ./nautilus/ --format txt --skip B101
-    - bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314
+    - bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314,B108
 
 linting:codespell:
   image: $CONTAINER_REGISTRY:linting
diff --git a/libmat2/subprocess.py b/libmat2/subprocess.py
index f1142be..fb6fc9d 100644
--- a/libmat2/subprocess.py
+++ b/libmat2/subprocess.py
@@ -51,6 +51,7 @@ def _get_bwrap_args(tempdir: str,
         ['--dev', '/dev',
          '--proc', '/proc',
          '--chdir', cwd,
+         '--tmpfs', '/tmp',
          '--unshare-user-try',
          '--unshare-ipc',
          '--unshare-pid',
@@ -58,6 +59,7 @@ def _get_bwrap_args(tempdir: str,
          '--unshare-uts',
          '--unshare-cgroup-try',
          '--new-session',
+         '--cap-drop', 'all',
          # XXX: enable --die-with-parent once all supported platforms have
          # a bubblewrap recent enough to support it.
          # '--die-with-parent',