upvote

points

by himata411318 hours ago |
comments
upvoteby captn3m015 hours ago|
next
[-]
This only works for post-install script attacks. When the package is compromised, just running require somewhere in your code will be enough, and that runs with node/java/python and no bwrap.
reply
upvoteby himata411315 hours ago|
parent|
[-]
node is also sandboxed within bwrap I have sandbox -p node if I have to give node access to other folders, I also have sandbox -m to define custom mountpoints if necessary and UNSAFE=1 as a last resort which just runs unsandboxed.
reply
upvoteby mixedbit15 hours ago|
prev|
next
[-]
Check also https://github.com/wrr/drop which is a higher-level tool than bwrap. It allows you to make such isolated sandboxes with minimal configuration.
reply
upvoteby stratos12310 hours ago|
parent|
[-]
This looks nice but I wouldn't trust a very fresh tool to do security correctly.

As a higher-level alternative to bwrap, I sometimes use `flatpak run --filesystem=$PWD --command=bash org.freedesktop.Platform`. This is kind of an abuse of flatpaks but works just fine to make a sandbox. And unlike bwrap, it has sane defaults (no extra permissions, not even network, though it does allow xdg-desktop-portal).

reply
upvoteby OJFord2 hours ago|
parent|
[-]
Shame it's not a bit more mature, it does look like more the sort of thing I want. I use firejail a bit, but it's a bit awkward really.

To be honest - and I can't really believe I'm saying it - what I really want is something more like Android permissions. (Except more granular file permissions, which Android doesn't do at all well.) Like: start with nothing, app is requesting x access, allow it this time; oh alright fine always allow it. Central place to manage it later. Etc.

reply
upvoteby kanbankaren14 hours ago|
prev|
next
[-]
I think firejail is a much more flexible security sandbox than bwrap. It also comes with pre-defined profiles
reply
upvoteby himata411313 hours ago|
parent|
[-]
bwrap is as secure as you want it to be which I think is the primary advantage over anything else.
reply
upvoteby mxmlnkn13 hours ago|
prev|
next
[-]
I like the idea of bubblewrap, but my pain point is that it is work to set it up correctly with bind mounts and forwarding necessary environment variables to make the program actually work usefully. Could you share your pip bwrap configuration? It sounds useful.
reply
upvoteby himata411313 hours ago|
parent|
[-]
can't really share a file here, feel free to email me
reply
upvoteby ashishb15 hours ago|
prev|
next
[-]
I wrote a Docker-based sandbox [1] for myself last year to control the blast radius of such malicious packages.

https://github.com/ashishb/amazing-sandbox

reply
upvoteby vips7L17 hours ago|
prev|
next
[-]
AFAIK maven doesn’t support post install logic like npm does. You have to explicitly optin with build plugins. It doesn’t let any arbitrary dependency run code on your machine.
reply
upvoteby himata411316 hours ago|
parent|
[-]
some post processors have chains to execution (ex: lombok)
reply
upvoteby vips7L11 hours ago|
parent|
[-]
You explicitly opt in by using a compiler plugin. Merely having it as a dependency, like in npm, doesn’t mean it can run code at build time.
reply
upvoteby micw16 hours ago|
prev|
next
[-]
> SSH is forwarded via socket

Maybe I misunderstood this point. But the ssh socket also gives access to your private keys, so I see no security gain in that point. Better to have a password protected key.

reply
upvoteby himata411316 hours ago|
parent|
[-]
It's so your private key is not stolen, but you're right passphrase protected keys win anyway. I use hardware keys so this isn't a problem for me to begin with.
reply
upvoteby johntash16 hours ago|
prev|
[-]
Do you have a recommendation for something like bwrap but for macos? I've been trying to use bwrap more on my servers when I remember.
reply
upvoteby himata411316 hours ago|
parent|
[-]
unfortunately not, but there is work being done to support overlays properly I think?
reply