Ubuntu does enable unprivileged userns by default (at least on desktop installs?), but there's at least one exception to watch out for: the lightdm "guest session" option applies an AppArmor policy that allows CLONE_NEWUSER but denies any use of the resulting capabilities; see also https://bugzilla.mozilla.org/show_bug.cgi?id=1434528 where we ran into that with Firefox. There's an exception for Chromium's sandbox, so in principle that could also be done for bubblewrap.
** Bug watch added: Mozilla Bugzilla #1434528 https://bugzilla.mozilla.org/show_bug.cgi?id=1434528 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to bubblewrap in Ubuntu. https://bugs.launchpad.net/bugs/1709164 Title: [MIR] bubblewrap Status in bubblewrap package in Ubuntu: Triaged Bug description: Availability ============ Built for all supported architectures. In sync with Debian. Rationale ========= The gnome-desktop3 library 3.25.90+ requires bubblewrap. bubblewrap is most commonly used as part of Flatpak's security isolation feature. Here it's being used to sandbox the thumbnailers. See https://git.gnome.org/browse/gnome-desktop/log (changes from 3.25.4 to 3.25.90) The bubblewrap feature was disabled in Ubuntu 17.10's gnome-desktop3 package because this MIR was not processed. Security ======== No known open security vulnerabilities in any Ubuntu releases. https://security-tracker.debian.org/tracker/source-package/bubblewrap I helped prepare a security update (LP: #1657357) (CVE-2017-5226) for bubblewrap/flatpak several months ago. Security-sensitive package. Quality assurance ================= Bug subscriber: should be Ubuntu Desktop Bugs https://bugs.launchpad.net/ubuntu/+source/bubblewrap https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=bubblewrap https://github.com/projectatomic/bubblewrap/issues dh_auto_test runs the build tests but they appear to be set as SKIP upstream. (See comment #4) Multiple autopkgtests passing on all Ubuntu architectures. Because the tests require machine isolation, the autopkgtests don't run on Debian's infrastructure currently. Dependencies ============ check-mir reports all other binary dependencies are in main Standards compliance ==================== 4.0.0 Maintenance =========== - Actively developed upstream https://github.com/projectatomic/bubblewrap - Maintained in Debian by the pkg-utopia team but more specifically, it is maintained by Simon McVittie (smcv) who also maintains Flatpak and ostree in Debian and Ubuntu. short dh7 style rules, dh compat 10 Background information ====================== William Hua (attente) had been working last year on a snapcraft plugin that used bubblewrap. So maybe more stuff will use bubblewrap in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
