diff options
author | Simon McVittie <smcv@collabora.com> | 2022-12-16 18:46:23 +0000 |
---|---|---|
committer | Alexander Larsson <alexander.larsson@gmail.com> | 2023-01-03 11:04:09 +0100 |
commit | b5f672355b916e6e59dad5ec9ca55aa90afe8a90 (patch) | |
tree | 50850ae7a345afc1d75a9adb00e367d4528ef0e0 /bwrap.xml | |
parent | b33c333bcb88557ad23a9bc5be0d619d537984e9 (diff) | |
download | bubblewrap-b5f672355b916e6e59dad5ec9ca55aa90afe8a90.tar.gz |
Add --assert-userns-disabled option
We can't combine --disable-userns with entering an existing user
namespace via --userns if the existing user namespace was created with
--disable-userns, because its ability to create nested user namespaces
has already been disabled. However, the next best thing is to verify
that we are already in the desired state.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Diffstat (limited to 'bwrap.xml')
-rw-r--r-- | bwrap.xml | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -159,6 +159,17 @@ </para></listitem> </varlistentry> <varlistentry> + <term><option>--assert-userns-disabled</option></term> + <listitem><para> + Confirm that the process in the sandbox has been prevented from + creating further user namespaces, but without taking any particular + action to prevent that. For example, this can be combined with + <option>--userns</option> to check that the given user namespace + has already been set up to prevent the creation of further user + namespaces. + </para></listitem> + </varlistentry> + <varlistentry> <term><option>--pidns <arg choice="plain">FD</arg></option></term> <listitem><para>Use an existing pid namespace instead of creating one. This is often used with --userns, because the pid namespace must be owned by the same user namespace that bwrap uses. </para> <para>Note that this can be combined with --unshare-pid, and in that case it means that the sandbox will be in its own pid namespace, which is a child of the passed in one.</para></listitem> |