diff options
| -rw-r--r-- | README.md | 39 | ||||
| -rw-r--r-- | SECURITY.md | 39 | ||||
| -rw-r--r-- | bwrap.xml | 12 | ||||
| -rw-r--r-- | utils.c | 8 |
4 files changed, 84 insertions, 14 deletions
@@ -35,8 +35,8 @@ The original bubblewrap code existed before user namespaces - it inherits code f which in turn distantly derives from [linux-user-chroot](https://git.gnome.org/browse/linux-user-chroot). -Security --------- +System security +--------------- The maintainers of this tool believe that it does not, even when used in combination with typical software installed on that distribution, @@ -47,6 +47,27 @@ In particular, bubblewrap uses `PR_SET_NO_NEW_PRIVS` to turn off setuid binaries, which is the [traditional way](https://en.wikipedia.org/wiki/Chroot#Limitations) to get out of things like chroots. +Sandbox security +---------------- + +bubblewrap is a tool for constructing sandbox environments. +bubblewrap is not a complete, ready-made sandbox with a specific security +policy. + +Some of bubblewrap's use-cases want a security boundary between the sandbox +and the real system; other use-cases want the ability to change the layout of +the filesystem for processes inside the sandbox, but do not aim to be a +security boundary. +As a result, the level of protection between the sandboxed processes and +the host system is entirely determined by the arguments passed to +bubblewrap. + +Whatever program constructs the command-line arguments for bubblewrap +(often a larger framework like Flatpak, libgnome-desktop, sandwine +or an ad-hoc script) is responsible for defining its own security model, +and choosing appropriate bubblewrap command-line arguments to implement +that security model. + Users ----- @@ -101,7 +122,14 @@ source code, but here's a trimmed down version which runs a new shell reusing the host's `/usr`. ``` -bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --proc /proc --dev /dev --unshare-pid bash +bwrap \ + --ro-bind /usr /usr \ + --symlink usr/lib64 /lib64 \ + --proc /proc \ + --dev /dev \ + --unshare-pid \ + --new-session \ + bash ``` This is an incomplete example, but useful for purposes of @@ -138,6 +166,11 @@ UTS namespace ([CLONE_NEWUTS](http://linux.die.net/man/2/clone)): The sandbox wi Seccomp filters: You can pass in seccomp filters that limit which syscalls can be done in the sandbox. For more information, see [Seccomp](https://en.wikipedia.org/wiki/Seccomp). +If you are not filtering out `TIOCSTI` commands using seccomp filters, +argument `--new-session` is needed to protect against out-of-sandbox +command execution +(see [CVE-2017-5226](https://github.com/containers/bubblewrap/issues/142)). + Related project comparison: Firejail ------------------------------------ diff --git a/SECURITY.md b/SECURITY.md index d914d4a..0ddfc6c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,42 @@ ## Security and Disclosure Information Policy for the bubblewrap Project The bubblewrap Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/HEAD/SECURITY.md) for the Containers Projects. + +### System security + +If bubblewrap is setuid root, then the goal is that it does not allow +a malicious local user to do anything that would not have been possible +on a kernel that allows unprivileged users to create new user namespaces. +For example, [CVE-2020-5291](https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj) +was treated as a security vulnerability in bubblewrap. + +If bubblewrap is not setuid root, then it is not a security boundary +between the user and the OS, because anything bubblewrap could do, a +malicious user could equally well do by writing their own tool equivalent +to bubblewrap. + +### Sandbox security + +bubblewrap is a toolkit for constructing sandbox environments. +bubblewrap is not a complete, ready-made sandbox with a specific security +policy. + +Some of bubblewrap's use-cases want a security boundary between the sandbox +and the real system; other use-cases want the ability to change the layout of +the filesystem for processes inside the sandbox, but do not aim to be a +security boundary. +As a result, the level of protection between the sandboxed processes and +the host system is entirely determined by the arguments passed to +bubblewrap. + +Whatever program constructs the command-line arguments for bubblewrap +(often a larger framework like Flatpak, libgnome-desktop, sandwine +or an ad-hoc script) is responsible for defining its own security model, +and choosing appropriate bubblewrap command-line arguments to implement +that security model. + +For example, +[CVE-2017-5226](https://github.com/flatpak/flatpak/security/advisories/GHSA-7gfv-rvfx-h87x) +(in which a Flatpak app could send input to a parent terminal using the +`TIOCSTI` ioctl) is considered to be a Flatpak vulnerability, not a +bubblewrap vulnerability. @@ -6,7 +6,7 @@ <refentryinfo> <title>bwrap</title> - <productname>Project Atomic</productname> + <productname>Containers</productname> <authorgroup> <author> <contrib>Developer</contrib> @@ -42,7 +42,8 @@ <refsect1><title>Description</title> <para> - <command>bwrap</command> is a privileged helper for container setup. You + <command>bwrap</command> is a unprivileged low-level sandboxing tool + (optionally setuid on older distributions). You are unlikely to use it directly from the commandline, although that is possible. </para> <para> @@ -463,7 +464,9 @@ </para><para> Note: In a general sandbox, if you don't use --new-session, it is recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise - the application can feed keyboard input to the terminal. + the application can feed keyboard input to the terminal + which can e.g. lead to out-of-sandbox command execution + (see CVE-2017-5226). </para></listitem> </varlistentry> <varlistentry> @@ -484,7 +487,8 @@ <varlistentry> <term><option>--cap-add <arg choice="plain">CAP</arg></option></term> <listitem><para> - Add the specified capability when running as privileged user. It accepts + Add the specified capability <arg choice="plain">CAP</arg>, e.g. + CAP_DAC_READ_SEARCH, when running as privileged user. It accepts the special value ALL to add all the permitted caps. </para></listitem> </varlistentry> @@ -568,7 +568,6 @@ load_file_data (int fd, ssize_t data_read; ssize_t data_len; ssize_t res; - int errsv; data_read = 0; data_len = 4080; @@ -587,12 +586,7 @@ load_file_data (int fd, while (res < 0 && errno == EINTR); if (res < 0) - { - errsv = errno; - close (fd); - errno = errsv; - return NULL; - } + return NULL; data_read += res; } |