Skip to content
This repository has been archived by the owner on Jun 24, 2023. It is now read-only.

Run gstreamer in a sandbox #12

Open
DemiMarie opened this issue Apr 30, 2021 · 2 comments
Open

Run gstreamer in a sandbox #12

DemiMarie opened this issue Apr 30, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@DemiMarie
Copy link
Collaborator

DemiMarie commented Apr 30, 2021
edited by ElliotKillick
Loading

We can use bubblewrap to run the various gstreamer components in a tight sandbox based on seccomp and namespaces. This helps ensure that if an attacker does manage to exploit a vulnerability in gstreamer, it will be difficult to cause further damage.
@ElliotKillick
Copy link
Owner

That's definitely a good idea. I've heard about (and used) sandboxes such as firejail in the past, but never bubblewrap. However, after reading the bubblewrap README, it appears to allow for superior isolation and is the better choice.

@ElliotKillick ElliotKillick added the enhancement New feature or request label May 1, 2021
@DemiMarie
Copy link
Collaborator Author

Bubblewrap has a --die-with-parent feature, which can avoid the need for #11.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DemiMarie @ElliotKillick