couldn't `bwrap` be a small shell script around `unshare`?

@navi @fiore

> i'd like examples of what those are, for this specific usecase, because all setup happens before the target untrusted application is even started

I don't know a concrete example, it's just a guess. One might need to open fds to pass around data. In POSIX shell that typically requires fixed fd numbers. If there is C code which wants to pass a fd into the sandbox it might happens to be the same as the one used in the shell code and some data ends up in places it wasn't supposed to.

As far as I can tell you are also assuming a shell to be available in the new user namespace. I have used bwrap in ways where this was not the case.

@navi @fiore

My experience with shell scripts says that it can't cover the same user case as bubblewrap since bwrap can be suid/setcap if the distribution kernel requires it and being a security component will sooner or later require protection against a race condition (or similar) that is impossible to fix in shell. Aside from that the C code could be made more trimmed, yes.

@ariadne

I am wondering if it would be enough to ask everybody who complains to pay a lawyer so that they can actually give legal advice. Before that we don't know what the compliant would be and we change nothing