Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 669210 - sys-apps/bubblewrap should support the setuid priv-mode
Summary: sys-apps/bubblewrap should support the setuid priv-mode
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux Gnome Desktop Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-21 15:43 UTC by kfm
Modified: 2018-11-16 17:13 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description kfm 2018-10-21 15:43:30 UTC
Firstly, thank you for adding bubblewrap to portage. It has considerable utility above and beyond the fact that it is needed for gnome-3.26 to function correctly.

That said, forcibly configuring with --with-priv-mode=none is a mistake, not least because bwrap(1) is designed to be safely used as a setuid application. This packaging decision makes it impossible to use bwrap non-root without access to unprivileged user namespaces. Not only is this an objectionable requirement but, ironically, it also increase the kernel's attack surface [1] [2]. Consider what Alexander Larsson, the author of Flatpak, has to say [3]:

"We do use unprivileged user namespaces if we can, but many distributions disable them. The reason is that user namespaces open up a whole new attack surface against the kernel, allowing an unprivileged user access to lots of things that may not be perfectly adapted user access."

"If user namespaces are disabled, bubblewrap can be built as a setuid helper instead. This still only lets you use the same features as before, and in many ways it is actually *safer* this way."

I know that Debian and Ubuntu are among the notable distributions that he refers to, as is Arch Linux with its linux-hardened package. The method is to veto the CLONE_NEWUSER flag unless the "kernel.unprivileged_userns_clone" has been specifically set to a non-zero value. Unsurprisingly, they also enable the setuid mode. Personally, I disable CONFIG_USER_NS altogether.

In short, please provide a "suid" USE flag, as I do in the ebuild that I have used up until now [4]. I chose to make it an IUSE default but would not necessarily expect the same from the gentoo tree, even though I believe user namespaces to be dangerous. I just think that the choice should be available.

[1] https://lwn.net/Articles/673597/
[2] https://lwn.net/Articles/543273/ (there have been other examples)
[3] https://blogs.gnome.org/alexl/2017/01/18/the-flatpak-security-model-part-1-the-basics/
[4] https://github.com/kerframil/portage-overlay/blob/master/sys-apps/bubblewrap/bubblewrap-0.3.0-r1.ebuild
Comment 1 Larry the Git Cow gentoo-dev 2018-11-16 17:13:33 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71022330c7696ed94cbb6b5af48f36a56bf3a066

commit 71022330c7696ed94cbb6b5af48f36a56bf3a066
Author:     Gilles Dartiguelongue <eva@gentoo.org>
AuthorDate: 2018-11-13 15:17:34 +0000
Commit:     Gilles Dartiguelongue <eva@gentoo.org>
CommitDate: 2018-11-16 17:13:17 +0000

    sys-apps/bubblewrap: reviewed ebuild
    
    Fix R/DEPEND. Add support for setuid and make it default per
    bug #669210. Use release tarballs. Fix bash-completion eclass call.
    
    Closes: https://bugs.gentoo.org/669210
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: Gilles Dartiguelongue <eva@gentoo.org>

 sys-apps/bubblewrap/Manifest                   |  1 +
 sys-apps/bubblewrap/bubblewrap-0.3.1-r1.ebuild | 45 ++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)