> bubblewrap is setuid Doesn't Ubuntu have unprivileged userns available, just like e.g. Fedora? If so, then bwrap isn't setuid, and offers no more attack surface than the kernel does to every process (that doesn't have access to CLONE_NEWUSER denied via e.g. seccomp, as e.g. Docker does by default for its containers).
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1709164 Title: [MIR] bubblewrap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
