system/bubblewrap: add non-setuid variant
bwrap(1)
works out-of-box with no additional additional privileges if using the --unshare-user
argument on supported kernels such as easy-kernel
, and in fact it is desirable that it runs without setuid privileges in such cases since it allows for the use of newuidmap(1)
and newgidmap(1)
to set custom ID mappings inside the container. Otherwise, when --unshare-user
is used with a setuid bwrap(1)
, the permissions on the /proc
entry for the process will be privileged and newuidmap(1)
/newgidmap(1)
will fail.