Firstly, thank you for adding bubblewrap to portage. It has considerable utility above and beyond the fact that it is needed for gnome-3.26 to function correctly. That said, forcibly configuring with --with-priv-mode=none is a mistake, not least because bwrap(1) is designed to be safely used as a setuid application. This packaging decision makes it impossible to use bwrap non-root without access to unprivileged user namespaces. Not only is this an objectionable requirement but, ironically, it also increase the kernel's attack surface [1] [2]. Consider what Alexander Larsson, the author of Flatpak, has to say [3]: "We do use unprivileged user namespaces if we can, but many distributions disable them. The reason is that user namespaces open up a whole new attack surface against the kernel, allowing an unprivileged user access to lots of things that may not be perfectly adapted user access." "If user namespaces are disabled, bubblewrap can be built as a setuid helper instead. This still only lets you use the same features as before, and in many ways it is actually *safer* this way." I know that Debian and Ubuntu are among the notable distributions that he refers to, as is Arch Linux with its linux-hardened package. The method is to veto the CLONE_NEWUSER flag unless the "kernel.unprivileged_userns_clone" has been specifically set to a non-zero value. Unsurprisingly, they also enable the setuid mode. Personally, I disable CONFIG_USER_NS altogether. In short, please provide a "suid" USE flag, as I do in the ebuild that I have used up until now [4]. I chose to make it an IUSE default but would not necessarily expect the same from the gentoo tree, even though I believe user namespaces to be dangerous. I just think that the choice should be available. [1] https://lwn.net/Articles/673597/ [2] https://lwn.net/Articles/543273/ (there have been other examples) [3] https://blogs.gnome.org/alexl/2017/01/18/the-flatpak-security-model-part-1-the-basics/ [4] https://github.com/kerframil/portage-overlay/blob/master/sys-apps/bubblewrap/bubblewrap-0.3.0-r1.ebuild
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71022330c7696ed94cbb6b5af48f36a56bf3a066 commit 71022330c7696ed94cbb6b5af48f36a56bf3a066 Author: Gilles Dartiguelongue <eva@gentoo.org> AuthorDate: 2018-11-13 15:17:34 +0000 Commit: Gilles Dartiguelongue <eva@gentoo.org> CommitDate: 2018-11-16 17:13:17 +0000 sys-apps/bubblewrap: reviewed ebuild Fix R/DEPEND. Add support for setuid and make it default per bug #669210. Use release tarballs. Fix bash-completion eclass call. Closes: https://bugs.gentoo.org/669210 Package-Manager: Portage-2.3.51, Repoman-2.3.11 Signed-off-by: Gilles Dartiguelongue <eva@gentoo.org> sys-apps/bubblewrap/Manifest | 1 + sys-apps/bubblewrap/bubblewrap-0.3.1-r1.ebuild | 45 ++++++++++++++++++++++++++ 2 files changed, 46 insertions(+)