diff options
author | Colin Walters <walters@verbum.org> | 2016-05-02 12:20:32 -0400 |
---|---|---|
committer | Colin Walters (automation) <walters+githubbot@verbum.org> | 2016-05-02 17:24:58 +0000 |
commit | 92fc223647fcaeb41e41f94848a3b9bc6e2cb546 (patch) | |
tree | d0d91cc95d667601d7369756abd8af2695072ecd | |
parent | a4de436585220c1f547cb1f5c3db9e3c6fa81609 (diff) | |
download | bubblewrap-92fc223647fcaeb41e41f94848a3b9bc6e2cb546.tar.gz |
README: Link to CVE-2016-3135, describe vs userns better
Closes: #41
Approved by: rhatdan
-rw-r--r-- | README.md | 16 |
1 files changed, 13 insertions, 3 deletions
@@ -9,16 +9,26 @@ These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into to a fully privileged root shell on the host. +User namespaces +--------------- + There is an effort in the Linux kernel called [user namespaces](https://www.google.com/search?q=user+namespaces+site%3Ahttps%3A%2F%2Flwn.net) which attempts to allow unprivileged users to use container features. While significant progress has been made, there are [still concerns](https://lwn.net/Articles/673597/) about it. -Bubblewrap is a setuid implementation of a *subset* of user -namespaces. (Emphasis on subset) +See for example +[CVE-2016-3135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3135) +which is a local root vulnerability introduced by userns. +[This March 2016 post](https://lkml.org/lkml/2016/3/9/555) has some +more discussion. + +Bubblewrap could be viewed as setuid implementation of a *subset* of +user namespaces. Emphasis on subset - specifically relevant to the +above CVE, bubblewrap does not allow control over iptables. -It inherits code from +The original bubblewrap code existed before user namespaces - it inherits code from [xdg-app helper](https://cgit.freedesktop.org/xdg-app/xdg-app/tree/common/xdg-app-helper.c) which in turn distantly derives from [linux-user-chroot](https://git.gnome.org/browse/linux-user-chroot). |