0937872119
Newer bwrap has added the ability to disable additional nested user namespace creation from with the bwrap execution context. Take advantage of this feature in Zuul if we are able to in order to fortify Zuul's security position. In particular we need two conditions to take advantage of this. 1) bwrap must be new enough to support the feature (>=0.8.0) and 2) we must be running with user namespaces enabled. We explicitly check for both conditions and add the appropriate invocation flags to bwrap when the conditions are met. Change-Id: Idf933a0847cb8570b551892186ca9c0057be127f
9 lines
367 B
YAML
9 lines
367 B
YAML
---
|
|
security:
|
|
- |
|
|
Zuul will execute bwrap with --disable-userns set if two conditions
|
|
hold. 1) The version of bwrap is 0.8.0 or newer and 2) User namespaces
|
|
are enabled in the zuul-executor runtime context. Doing so will
|
|
prevent the zuul-executor bwrap runtimes from creating additional
|
|
user namespaces which fortifies Zuul's security position.
|