Recently the availability of the new version of sandboxing bubble wrap 0.6, in which some important changes have been made such as the inclusion of support for compilation with Meson, partial support for the REUSE specification and a few other changes.
For those who are unaware of Bubblewrap, you should know that this is a utility typically used to restrict individual applications to non-privileged users. In practice, the Flatpak project uses Bubblewrap as a layer to isolate applications launched from packages.
For isolation, Linux uses virtualization technologies of traditional containers based on the use of cgroups, namespaces, Seccomp and SELinux. To perform privileged operations to configure a container, Bubblewrap is started with root privileges (an executable file with a suid flag), followed by a privilege reset after the container is initialized.
About Bubblewrap
Bubblewrap is positioned as a limited suida implementation from the subset of the user namespaces functions to exclude all user and process ids from the environment except the current one, use the modes CLONE_NEWUSER and CLONE_NEWPID.
For additional protection, programs running in Bubblewrap start in the mode PR_SET_NO_NEW_PRIVS, that prohibits new privileges, for example, with the setuid flag.
Isolation at the file system level is done by creating, by default, a new mount namespace, in which an empty root partition is created using tmpfs.
If necessary, the external FS sections are attached to this section in the «mount-bind»(For example, starting with the option«bwrap –ro-bind / usr / usr', The / usr section is forwarded from the host in read-only mode).
The capabilities of network are limited to access to the loopback interface inverted with network stack isolation via indicators CLONE_NEWNET and CLONE_NEWUTS.
The key difference with the similar Firejail project, which also uses the setuid launcher, is that in Bubblewrap, the container layer includes only the minimum necessary features and all the advanced functions required to launch graphical applications, interact with the desktop, and filter calls to Pulseaudio, are brought to the side of Flatpak and run after privileges are reset.
Main novelties of Bubblewrap 0.6
In this new version of Bubblewrap 0.6 that is presented, it is highlighted that added support for the build system Meson, whereby support for compiling with Autotools has been preserved for now, but it is intended that this it will be removed in favor of using Meson in a future release.
Another novelty in this new version of Bubblewrap 0.6 is the implementation of the option “–add-seccomp” to add more than one seccomp program, also added a warning that if the "--seccomp" option is specified again, only the last option will be applied.
It is also noted that the partial support for the REUSE specification, which unifies the process of specifying license and copyright information.
Besides that headers were also added SPDX-License-Identifier to many files of code. Following the REUSE guidelines makes it easy to automatically determine which license applies to which parts of your application code.
On the other hand, added argument counter value check from the command line (argc) and implemented an emergency exit if the counter is zero. The change pAllows you to block security issues caused by incorrect handling of passed command line arguments, such as CVE-2021-4034 in Polkit
Of the other changes that stand out from this new version:
- The master branch in the git repository has been renamed to main
- Remove old CI integration
- Using bash via PATH for better compatibility with non-FHS operating systems
finally if you are interested in knowing a little more about it about this new version, you can check the details In the following link.