diff options
| author | Colin Walters <walters@verbum.org> | 2016-05-05 14:25:19 -0400 |
|---|---|---|
| committer | Colin Walters (automation) <walters+githubbot@verbum.org> | 2016-05-05 23:54:22 +0000 |
| commit | 8ced4fbe51c76830e8add0e92c85acb676c353be (patch) | |
| tree | e4399f13db3d07478d971c2524e12fcff23ba3a0 | |
| parent | 5601aae36c3f3d83ce71fb727669e6d5483fd8a2 (diff) | |
| download | bubblewrap-8ced4fbe51c76830e8add0e92c85acb676c353be.tar.gz | |
README.md: Note some related projects
Closes: #44
Approved by: rhatdan
| -rw-r--r-- | README.md | 46 |
1 files changed, 46 insertions, 0 deletions
@@ -130,6 +130,52 @@ UTS namespace ([CLONE_NEWUTS](http://linux.die.net/man/2/clone)): The sandbox wi Seccomp filters: You can pass in seccomp filters that limit which syscalls can be done in the sandbox. For more information, see [Seccomp](https://en.wikipedia.org/wiki/Seccomp). +Related project comparison: Firejail +------------------------------------ + +[Firejail](https://github.com/netblue30/firejail/tree/master/src/firejail) is +similar to xdg-app before bubblewrap was split out in that it combines +a setuid tool with a lot of desktop-specific sandboxing features. For +example, Firejail knows about Pulseaudio, whereas bubblewrap does not. + +The bubblewrap authors believe it's much easier to audit a small +setuid program, and keep features such as Pulseaudio filtering as an +unprivileged process, as now occurs in xdg-app. + +Also, @cgwalters thinks trying to +[whitelist file paths](https://github.com/netblue30/firejail/blob/37a5a3545ef6d8d03dad8bbd888f53e13274c9e5/src/firejail/fs_whitelist.c#L176) +is a bad idea given the myriad ways users have to manipulate paths, +and the myriad ways in which system administrators may configure a +system. The bubblewrap approach is to only retain a few specific +Linux capabilities such as `CAP_SYS_ADMIN`, but to always access the +filesystem as the invoking uid. This entirely closes +[TOCTOCU attacks](https://cwe.mitre.org/data/definitions/367.html) and +such. + +Related project comparison: Sandstorm.io +---------------------------------------- + +[Sandstorm.io](https://sandstorm.io/) also has a setuid helper +process. @cgwalters believes their setuid code is fairly good, but it +could still make sense to unify on bubblewrap as a setuid core. That +hasn't been ruled out, but neither is it being actively pursued today. + +Related project comparison: runc/binctr +---------------------------------------- + +[runc](https://github.com/opencontainers/runc) is similar to +[systemd nspawn](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html) +in that it is tooling intended to be invoked by root. There is an +effort to have runc optionally use +[user namespaces](https://github.com/opencontainers/runc/issues/38), +but no plans for any setuid support. + +The bubblewrap authors believe that runc and systemd-nspawn are not +designed to be made setuid and are distant from supporting such a +mode. + +[binctr](https://github.com/jfrazelle/binctr) is just a wrapper for +runc, so inherits all of its design tradeoffs. Whats with the name ?! ---------------------- |