diff options
author | Clark Boylan <clark.boylan@gmail.com> | 2023-05-15 10:44:17 -0700 |
---|---|---|
committer | Clark Boylan <clark.boylan@gmail.com> | 2023-05-16 10:12:21 -0700 |
commit | 0937872119e642b3fc689fc2bf156e44dccf140d (patch) | |
tree | 114525501e70fa529a3b3a428a9c9135321be6bd /tests/unit/test_auth.py | |
parent | a9146705148afba092e31a7013676f9c5661a2c6 (diff) | |
download | zuul-0937872119e642b3fc689fc2bf156e44dccf140d.tar.gz |
Use bwrap --disable-userns if possible
Newer bwrap has added the ability to disable additional nested user
namespace creation from with the bwrap execution context. Take advantage
of this feature in Zuul if we are able to in order to fortify Zuul's
security position.
In particular we need two conditions to take advantage of this. 1) bwrap
must be new enough to support the feature (>=0.8.0) and 2) we must be
running with user namespaces enabled. We explicitly check for both
conditions and add the appropriate invocation flags to bwrap when the
conditions are met.
Change-Id: Idf933a0847cb8570b551892186ca9c0057be127f
Diffstat (limited to 'tests/unit/test_auth.py')
0 files changed, 0 insertions, 0 deletions