From 0937872119e642b3fc689fc2bf156e44dccf140d Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Mon, 15 May 2023 10:44:17 -0700 Subject: Use bwrap --disable-userns if possible Newer bwrap has added the ability to disable additional nested user namespace creation from with the bwrap execution context. Take advantage of this feature in Zuul if we are able to in order to fortify Zuul's security position. In particular we need two conditions to take advantage of this. 1) bwrap must be new enough to support the feature (>=0.8.0) and 2) we must be running with user namespaces enabled. We explicitly check for both conditions and add the appropriate invocation flags to bwrap when the conditions are met. Change-Id: Idf933a0847cb8570b551892186ca9c0057be127f --- releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml (limited to 'releasenotes/notes') diff --git a/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml b/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml new file mode 100644 index 000000000..acf7b1f23 --- /dev/null +++ b/releasenotes/notes/bwrap-disable-userns-bbb3f3a2932415c4.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + Zuul will execute bwrap with --disable-userns set if two conditions + hold. 1) The version of bwrap is 0.8.0 or newer and 2) User namespaces + are enabled in the zuul-executor runtime context. Doing so will + prevent the zuul-executor bwrap runtimes from creating additional + user namespaces which fortifies Zuul's security position. -- cgit v1.2.1