|
84 | 84 | <term><option>--version</option></term> |
85 | 85 | <listitem><para>Print version</para></listitem> |
86 | 86 | </varlistentry> |
| 87 | + <varlistentry> |
| 88 | + <term><option>--compat <arg choice="plain">compatability level</arg></option></term> |
| 89 | + <listitem><para>Set compatability level (negative value means latest)</para></listitem> |
| 90 | + </varlistentry> |
87 | 91 | <varlistentry> |
88 | 92 | <term><option>--args <arg choice="plain">FD</arg></option></term> |
89 | 93 | <listitem><para> |
|
145 | 149 | <listitem><para>After setting up the new namespace, switch into the specified namespace. For this to work the specified namespace must be a descendant of the user namespace used for the setup, so this is only useful in combination with --userns.</para> |
146 | 150 | <para>This is useful because sometimes bubblewrap itself creates nested user namespaces (to work around some kernel issues) and --userns2 can be used to enter these.</para></listitem> |
147 | 151 | </varlistentry> |
| 152 | + <varlistentry> |
| 153 | + <term><option>--allow-userns</option></term> |
| 154 | + <listitem><para> |
| 155 | + Allow the process in the sandbox to create further user namespaces, |
| 156 | + so that it can rearrange the filesystem namespace or do other more |
| 157 | + complex namespace modification. |
| 158 | + This option is only available in compatability level 1 or later. |
| 159 | + </para></listitem> |
| 160 | + </varlistentry> |
148 | 161 | <varlistentry> |
149 | 162 | <term><option>--disable-userns</option></term> |
150 | 163 | <listitem><para> |
|
157 | 170 | in the outer namespace. |
158 | 171 | This option requires <option>--unshare-user</option>, and doesn't work |
159 | 172 | in the setuid version of bubblewrap. |
| 173 | + This option is not available in compatability level 1 or later. |
160 | 174 | </para></listitem> |
161 | 175 | </varlistentry> |
162 | 176 | <varlistentry> |
|
455 | 469 | ignore members and objects that they do not understand. |
456 | 470 | </para></listitem> |
457 | 471 | </varlistentry> |
| 472 | + <varlistentry> |
| 473 | + <term><option>--no-new-session</option></term> |
| 474 | + <listitem><para> |
| 475 | + Don't create a new terminal session for the sandbox (don't call |
| 476 | + setsid()). This doesn't disconnect the sandbox from the controlling |
| 477 | + terminal which means the sandbox can for instance inject input into |
| 478 | + the terminal. This option is only available in compatability level 1 |
| 479 | + or later. |
| 480 | + </para><para> |
| 481 | + Note: In a general sandbox, if you use --no-new-session, it is |
| 482 | + recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise |
| 483 | + the application can feed keyboard input to the terminal |
| 484 | + which can e.g. lead to out-of-sandbox command execution |
| 485 | + (see CVE-2017-5226). |
| 486 | + </para></listitem> |
| 487 | + </varlistentry> |
458 | 488 | <varlistentry> |
459 | 489 | <term><option>--new-session</option></term> |
460 | 490 | <listitem><para> |
461 | 491 | Create a new terminal session for the sandbox (calls setsid()). This |
462 | 492 | disconnects the sandbox from the controlling terminal which means |
463 | 493 | the sandbox can't for instance inject input into the terminal. |
| 494 | + This option is not available in compatability level 1 or later. |
464 | 495 | </para><para> |
465 | 496 | Note: In a general sandbox, if you don't use --new-session, it is |
466 | 497 | recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise |
|
0 commit comments