summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitlab-ci.yml2
-rw-r--r--libmat2/subprocess.py2
2 files changed, 3 insertions, 1 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 35bd62d..5713d5b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,7 +16,7 @@ linting:bandit:
16 script: # TODO: remove B405 and B314 16 script: # TODO: remove B405 and B314
17 - bandit ./mat2 --format txt --skip B101 17 - bandit ./mat2 --format txt --skip B101
18 - bandit -r ./nautilus/ --format txt --skip B101 18 - bandit -r ./nautilus/ --format txt --skip B101
19 - bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314 19 - bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314,B108
20 20
21linting:codespell: 21linting:codespell:
22 image: $CONTAINER_REGISTRY:linting 22 image: $CONTAINER_REGISTRY:linting
diff --git a/libmat2/subprocess.py b/libmat2/subprocess.py
index f1142be..fb6fc9d 100644
--- a/libmat2/subprocess.py
+++ b/libmat2/subprocess.py
@@ -51,6 +51,7 @@ def _get_bwrap_args(tempdir: str,
51 ['--dev', '/dev', 51 ['--dev', '/dev',
52 '--proc', '/proc', 52 '--proc', '/proc',
53 '--chdir', cwd, 53 '--chdir', cwd,
54 '--tmpfs', '/tmp',
54 '--unshare-user-try', 55 '--unshare-user-try',
55 '--unshare-ipc', 56 '--unshare-ipc',
56 '--unshare-pid', 57 '--unshare-pid',
@@ -58,6 +59,7 @@ def _get_bwrap_args(tempdir: str,
58 '--unshare-uts', 59 '--unshare-uts',
59 '--unshare-cgroup-try', 60 '--unshare-cgroup-try',
60 '--new-session', 61 '--new-session',
62 '--cap-drop', 'all',
61 # XXX: enable --die-with-parent once all supported platforms have 63 # XXX: enable --die-with-parent once all supported platforms have
62 # a bubblewrap recent enough to support it. 64 # a bubblewrap recent enough to support it.
63 # '--die-with-parent', 65 # '--die-with-parent',