diff options
Diffstat (limited to 'bwrap.xml')
| -rw-r--r-- | bwrap.xml | 14 |
1 files changed, 14 insertions, 0 deletions
@@ -145,6 +145,20 @@ <para>This is useful because sometimes bubblewrap itself creates nested user namespaces (to work around some kernel issues) and --userns2 can be used to enter these.</para></listitem> </varlistentry> <varlistentry> + <term><option>--disable-userns</option></term> + <listitem><para> + Prevent the process in the sandbox from creating further user namespaces, + so that it cannot rearrange the filesystem namespace or do other more + complex namespace modification. + This is currently implemented by setting the + <literal>user.max_user_namespaces</literal> sysctl to 1, and then + entering a nested user namespace which is unable to raise that limit + in the outer namespace. + This option requires <option>--unshare-user</option>, and doesn't work + in the setuid version of bubblewrap. + </para></listitem> + </varlistentry> + <varlistentry> <term><option>--pidns <arg choice="plain">FD</arg></option></term> <listitem><para>Use an existing pid namespace instead of creating one. This is often used with --userns, because the pid namespace must be owned by the same user namespace that bwrap uses. </para> <para>Note that this can be combined with --unshare-pid, and in that case it means that the sandbox will be in its own pid namespace, which is a child of the passed in one.</para></listitem> |