Bubblewrap is a tool what works to organize sandbox work on Linux and run at the application level of non-privileged users. In practice, Bubblewrap is used by the Flatpak project as an intermediate layer to isolate applications launched from software packages.
For isolation, Linux uses virtualization technologies of traditional containers based on the use of cgroups, namespaces, Seccomp and SELinux. To perform privileged operations to configure a container, Bubblewrap is started with root privileges (an executable file with a suid flag), followed by a privilege reset after the container is initialized.
There is no need to enable user namespaces on the system, allowing you to use your own set of ids in containers, as by default it doesn't work on many distributions.
About Bubblewrap
Bubblewrap is positioned as a limited suida implementation from the subset of the user namespaces functions to exclude all user and process ids from the environment except the current one, use the modes CLONE_NEWUSER and CLONE_NEWPID.
For additional protection, programs running in Bubblewrap start in the mode PR_SET_NO_NEW_PRIVS, that prohibits new privileges, for example, with the setuid flag.
Isolation at the file system level is done by creating, by default, a new mount namespace, in which an empty root partition is created using tmpfs.
If necessary, the external FS sections are attached to this section in the «mount-bind»(For example, starting with the option«bwrap –ro-bind / usr / usr', The / usr section is forwarded from the host in read-only mode).
Network capabilities are limited to access to the loopback interface inverted with network stack isolation via indicators CLONE_NEWNET and CLONE_NEWUTS.
The key difference with the similar Firejail project, which also uses the setuid launcher, is that in Bubblewrap, the container layer includes only the minimum necessary features and all the advanced functions required to launch graphical applications, interact with the desktop, and filter calls to Pulseaudio, are brought to the side of Flatpak and run after privileges are reset.
Firejail, on the other hand, combines all related functions into one executable file, complicating your audit and keeping security at the proper level.
Bubblewrap basically works by creating an empty mount namespace on a temporary file system which will be destroyed after sandbox processing completes.
By using switches, the user can build the desired filesystem environment within the mount namespace by mounting the desired directories on the link from the host system.
Bubble wrap 0.4.0
Bubblewrap is currently in its version 0.4.0 which was recently released. The project code is written in C and distributed under the LGPLv2 + license.
The new version is notable for the implementation of support for joining the namespaces and processes existing users (pid namespaces).
The flags "–userns", "–userns2" and "–pidns" have been added to control the connection of namespaces.
This feature does not work in setuid mode and requires a separate mode that can work without root privileges, but requires user namespaces to be enabled on the system (disabled by default on Debian and RHEL / CentOS) and does not exclude the possibility to exploit potentially remaining vulnerabilities for the edge of "user namespaces" restrictions.
Of the new features of Bubblewrap 0.4, the possibility of building with the musl C library instead of glibc is also observed, and support for saving namespace information to a statistics file in JSON format.
The Bubblewrap code, as well as the documentation about it, can be consulted on Github, the link is this.