Mount a new tmpfs on /tmp and drop all capabilities (!62) · Merge requests · jvoisin / mat2

madaidan requested to merge madaidan/mat2:bubblewrap into master Sep 21, 2019

This mounts a new tmpfs on /tmp so any files residing there would be hidden from the sandbox. Many programs store some files in there that might be useful to an attacker.

It also drops all capabilities incase it is ever run with extra capabilities for whatever reason.

Mount a new tmpfs on /tmp and drop all capabilities

Merge request reports