Mount a new tmpfs on /tmp and drop all capabilities

This mounts a new tmpfs on /tmp so any files residing there would be hidden from the sandbox. Many programs store some files in there that might be useful to an attacker. It also drops all capabilities incase it is ever run with extra capabilities for whatever reason.

Mount a new tmpfs on /tmp and drop all capabilities
58773088 · madaidan · jvoisin · 37145531 · 58773088 · 58773088
Commit 58773088 authored 5 years ago by madaidan Committed by jvoisin 5 years ago
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,7 +16,7 @@ linting:bandit:
  script:  # TODO: remove B405 and B314
    - bandit ./mat2 --format txt --skip B101
    - bandit -r ./nautilus/ --format txt --skip B101
-    - bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314
+    - bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314,B108
 linting:codespell:
  image: $CONTAINER_REGISTRY:linting

--- a/libmat2/subprocess.py
+++ b/libmat2/subprocess.py
@@ -51,6 +51,7 @@ def _get_bwrap_args(tempdir: str,
        ['--dev', '/dev',
         '--proc', '/proc',
         '--chdir', cwd,
+         '--tmpfs', '/tmp',
         '--unshare-user-try',
         '--unshare-ipc',
         '--unshare-pid',
@@ -58,6 +59,7 @@ def _get_bwrap_args(tempdir: str,
         '--unshare-uts',
         '--unshare-cgroup-try',
         '--new-session',
+         '--cap-drop', 'all',
         # XXX: enable --die-with-parent once all supported platforms have
         # a bubblewrap recent enough to support it.
         # '--die-with-parent',