bwrap 1.0.0.pre.beta1 → 1.0.0.pre.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: db6e7253c0a896975954c0d649c68321958ade750f891f353ba30b9ea58880cb
-  data.tar.gz: 90f384499e8727660b9810711e0237ce604f8ef219ed415c210db16bcd764804
+  metadata.gz: 807b5065d9a5615be9910e52bf7beed12faf271a6aa533de71fe925d759d68c3
+  data.tar.gz: a3ed8130aac69442f2175b9035aa34392b462fcc3934e3e7a69081b2b936b8f7
 SHA512:
-  metadata.gz: 03e6873b068e52bc0c9fbbc072f9fc1a411696ca3c09aabcee05c8e660e5a210030c13fab84348aee720e7bd431600a0b18c3be124dfcb955ac95c250d83aeec
-  data.tar.gz: 4183575c47d740dd74c88995add7b87366299e75b4a8edaa89c20d422cd73cbd957b411e5bd51b9c9eabcd3881d8af1ba85922ce806b2387d75a0f30d8abd377
+  metadata.gz: 66131023be01339b797c21615ce32b5aa639fd0599590724f9262f8393d2cc9226c1bfa87bfad37dba751bac15d6b6fc9efa3babd168cc2f40973f8a5729f9cd
+  data.tar.gz: fcf5fdd36a7728e84502e33efb86d43ce08d44732f0c070ecdaa54b5bbc15a35749238fd79084b688baedd605b98252c59fdaee61ef4434ea967deb00f10a577

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changes
 
+## 1.0.0-beta2 (02.02.2022)
+
+* Added nscd feature
+* Added gem_env_paths to ruby feature
+* If Config#root is set, set working directory to /
+* Execution#execvalue: Allow setting log: true
+* Execution#execvalue: pass all kwargs as kwargs to execute()
+* Output::Log: Don’t die if log file can’t be written to
+
 ## 1.0.0-beta1 (12.12.2021)
 
 * optimist gem is now optional dependency

data/lib/bwrap/args/bind/library.rb

@@ -8,6 +8,9 @@ require_relative "mime"
 class Bwrap::Args::Bind
   # TODO: documentation
   #
+  # TODO: It may be that this should be renamed to “Binary” or ”Executable”, as this
+  # handles all binaries, not just libraries.
+  #
   # @api private
   class Library
     include Bwrap::Execution::Path
@@ -28,6 +31,47 @@ class Bwrap::Args::Bind
 
     attr_writer :executable_path
 
+    # Ruby feature implementation specific class.
+    #
+    # @api private
+    class RubyBinds
+      # Instance of {Bwrap::Config}.
+      attr_writer :config
+
+      def initialize args
+        @args = args
+      end
+
+      def ruby_binds_for_features
+        return unless @config and @config.features.ruby.enabled?
+
+        @mounts = []
+
+        # Mount some common Ruby executables.
+
+        # This is most often /usr/bin.
+        bindir = Pathname.new RbConfig::CONFIG["bindir"]
+
+        path = bindir / "ruby"
+        if File.exist? path
+          @mounts << "--ro-bind" << path.to_s << path.to_s
+        end
+
+        gem_binds bindir
+
+        @args += @mounts
+      end
+
+      private def gem_binds bindir
+        return unless @config.features.ruby.gem_env_paths?
+
+        path = bindir / "gem"
+        return unless File.exist? path
+
+        @mounts << "--ro-bind" << path.to_s << path.to_s
+      end
+    end
+
     def initialize args
       @args = args
     end
@@ -92,6 +136,17 @@ class Bwrap::Args::Bind
       @args.append library_mounts
     end
 
+    # Some features, like {Bwrap::Config::Features::Nscd}, requires some binds
+    # in order to operate properly.
+    def binds_for_features
+      # NOTE: Still nothing here, as I think this is better for library binds than anything else.
+      # The nscd bind is better in another, more generic, place.
+      #
+      # Keeping this method because I think this really makes sense for structure, in future.
+
+      ruby_binds_for_features
+    end
+
     # Used by {#libs_command_requires}.
     private def resolve_executable_name command
       if command.is_a? String
@@ -121,5 +176,13 @@ class Bwrap::Args::Bind
 
       which executable_name, env_path_var: env_path
     end
+
+    private def ruby_binds_for_features
+      return unless @config.features.ruby.enabled?
+
+      binds = RubyBinds.new @args
+      binds.config = @config
+      binds.ruby_binds_for_features
+    end
   end
 end

data/lib/bwrap/args/bind.rb

@@ -79,6 +79,8 @@ class Bwrap::Args::Bind
 
     library_bind = construct_library_bind
 
+    binds_for_features
+    library_bind.binds_for_features
     library_bind.extra_executables_mounts
 
     return unless @config.full_system_mounts
@@ -95,7 +97,7 @@ class Bwrap::Args::Bind
       binds << "--ro-bind" << source_path.to_s << destination_path.to_s
     end
 
-    @args.append binds
+    @args.append binds unless binds.empty?
   end
 
   # Performs cleanup operations after execution.
@@ -131,4 +133,9 @@ class Bwrap::Args::Bind
 
     library_bind
   end
+
+  # Binds feature specific common directories.
+  private def binds_for_features
+    # Nya.
+  end
 end

data/lib/bwrap/args/environment.rb

@@ -1,15 +1,23 @@
 # frozen_string_literal: true
 
+require "bwrap/execution"
 require "bwrap/output"
 require_relative "args"
 
 # Environment variable calculation for bwrap.
 class Bwrap::Args::Environment < Hash
+  include Bwrap::Execution
   include Bwrap::Output
 
   # Instance of {Config}.
   attr_writer :config
 
+  def initialize
+    super
+
+    self["PATH"] ||= []
+  end
+
   # Returns used environment variables wrapped as bwrap arguments.
   def environment_variables
     if debug?
@@ -31,11 +39,11 @@ class Bwrap::Args::Environment < Hash
   # @return [Array] All environment paths added via {Config#add_env_path} and other parsing logic
   def env_paths
     if @config.env_paths.respond_to? :each
-      self["PATH"] ||= []
-
       self["PATH"] |= @config.env_paths
     end
 
+    features_env_paths
+
     self["PATH"]
   end
 
@@ -43,8 +51,6 @@ class Bwrap::Args::Environment < Hash
   #
   # @param elements [String, Array] Path(s) to be added added to PATH environment variable
   def add_to_path elements
-    self["PATH"] ||= []
-
     if elements.respond_to? :each
       self["PATH"] += elements
     else
@@ -52,4 +58,25 @@ class Bwrap::Args::Environment < Hash
       self["PATH"] << elements
     end
   end
+
+  # Feature specific environment path handling.
+  private def features_env_paths
+    ruby_env_paths
+  end
+
+  # Ruby feature specific environment path handling.
+  private def ruby_env_paths
+    return unless @config.features.ruby.enabled?
+    return unless @config.features.ruby.gem_env_paths?
+
+    unless command_available? "gem"
+      warn "gem is not installed in the system, so can’t add its bindirs to PATH."
+      return
+    end
+
+    gempath = execvalue %w{ gem environment gempath }
+    gempath.split(":").each do |path|
+      self["PATH"] << "#{path}/bin"
+    end
+  end
 end

data/lib/bwrap/args/features.rb

@@ -29,6 +29,22 @@ class Bwrap::Args::Features < Hash
     end
   end
 
+  # Implementation for nscd feature set.
+  #
+  # @api private
+  class NscdBinds
+    # Custom binds needed by the feature.
+    def custom_binds
+      mounts = []
+
+      # TODO: Probably some path checking is needed here. Or somewhere.
+      # TODO: Since on many systems /var/run is symlinked to /run, that probably should be handled.
+      mounts << "--ro-bind" << "/var/run/nscd" << "/var/run/nscd"
+
+      mounts
+    end
+  end
+
   # Implementation for Ruby feature set.
   #
   # @api private
@@ -79,6 +95,7 @@ class Bwrap::Args::Features < Hash
   # - ruby
   def feature_binds
     bash_binds
+    nscd_binds
     ruby_binds
   end
 
@@ -90,6 +107,14 @@ class Bwrap::Args::Features < Hash
     @args.append binds.bash_mounts
   end
 
+  private def nscd_binds
+    return unless @config.features.nscd.enabled?
+
+    binds = NscdBinds.new
+
+    @args.append binds.custom_binds
+  end
+
   # @note This does not allow development headers needed for compilation for now.
   #   I’ll look at it after I have an use for it.
   private def ruby_binds

data/lib/bwrap/args/machine_id.rb

@@ -25,7 +25,7 @@ class Bwrap::Args::MachineId
     # Returning [] means that execute() will ignore this fully.
     # Nil would be converted to empty string, causing spawn() to pass it as argument, causing
     # bwrap to misbehave.
-    return unless @config.machine_id
+    return unless @config&.machine_id
 
     machine_id = @config.machine_id
 
@@ -52,10 +52,10 @@ class Bwrap::Args::MachineId
     debug "Using random machine id as /etc/machine-id"
 
     @machine_id_file = Tempfile.new "bwrap-random_machine_id-", @config.tmpdir
-    @machine_id_file.write SecureRandom.uuid.delete("-", "")
+    @machine_id_file.write SecureRandom.uuid.tr("-", "")
     @machine_id_file.flush
 
-    %W{ --ro-bind-data #{machine_id_file.fileno} /etc/machine-id }
+    %W{ --ro-bind-data #{@machine_id_file.fileno} /etc/machine-id }
   end
 
   # Uses `10000000000000000000000000000000` as machine id.
@@ -80,6 +80,8 @@ class Bwrap::Args::MachineId
   end
 
   # Uses file inside sandbox directory as machine id.
+  #
+  # TODO: I kind of want to deprecate this one. It may make sense, but eh... Let’s see.
   private def machine_id_inside_sandbox_dir sandbox_directory
     machine_id_file = "#{sandbox_directory}/machine-id"
 

data/lib/bwrap/args/mount.rb

@@ -10,6 +10,7 @@ module Bwrap::Args::Mount
 
     debug "Binding #{@config.root} as /"
     @args.append %W{ --bind #{@config.root} / }
+    @args.append %w{ --chdir / }
   end
 
   # Arguments for mounting devtmpfs to /dev.

data/lib/bwrap/bwrap.rb

@@ -2,6 +2,7 @@
 
 #require "deep-cover" if ENV["DEEP_COVER"]
 
+require_relative "bwrap_module"
 require "bwrap/version"
 require "bwrap/args/construct"
 require "bwrap/config"

data/lib/bwrap/bwrap_module.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+# ruby-bwrap provides easy-to-use interface to run complex programs in sandboxes created with
+# {https://github.com/containers/bubblewrap bubblewrap}.
+#
+# To run a program inside bubblewrap, a wrapper executable can be created. For example:
+#
+#     require "bwrap"
+#
+#     config = Bwrap::Config.new
+#     config.user = "dummy_user"
+#     config.full_system_mounts = true
+#     config.binaries_from = %w{
+#       /bin
+#       /usr/bin
+#     }
+#
+#     bwrap = Bwrap::Bwrap.new config
+#     bwrap.parse_command_line_arguments
+#     bwrap.run "/bin/true"
+#
+# There also are few generic utilities, {Bwrap::Output} for handling output of scripts and
+# {Bwrap::Execution} to run executables.
+module Bwrap
+  # Empty module.
+end

data/lib/bwrap/config/features.rb

@@ -3,41 +3,72 @@
 class Bwrap::Config
   # Methods to enable or disable feature sets to control various aspects of sandboxing.
   class Features
-    # Defines Bash feature set.
-    class Bash
+    # @abstract
+    #
+    # Base of all features.
+    class Base
+      # @param features [Bwrap::Config::Features] Instance of features object in {Config}
+      def initialize features
+        @features = features
+      end
+
+      # Checks if the feature has been enabled.
+      #
+      # @return [Boolean] whether feature is enabled
       def enabled?
         @enabled
       end
 
+      # Enable the feature.
       def enable
         @enabled = true
       end
 
-      # Disable Bash feature set.
+      # Disable the feature.
       def disable
         @enabled = false
       end
     end
 
+    # Defines Bash feature set.
+    class Bash < Base
+      # Nya.
+    end
+
+    # Defines Nscd feature set.
+    #
+    # nscd is short of name service cache daemon. It may make sense to
+    # have this class under another name, but I don’t know how nscd specific
+    # this feature can be, so this name it is for now.
+    class Nscd < Base
+      # Nya.
+    end
+
     # Defines Ruby feature set.
-    class Ruby
+    #
+    # Implies {Nscd} feature.
+    class Ruby < Base
       # Extra libraries to be loaded from `RbConfig::CONFIG["rubyarchdir"]`.
       #
       # @note This is only required to be called if extra dependencies are necessary.
       #     For example, psych.so requires libyaml.so.
       #
-      # @note There is stdlib= method also. Yardoc is broken.
-      #
       # @return [Array] list of needed libraries.
+      #
+      # @overload stdlib
+      # @overload stdlib=(libs)
       attr_reader :stdlib
 
-      def initialize
+      def initialize features
+        super features
+
+        @gem_env_paths = true
         @stdlib = []
       end
 
-      # @see enabled=
-      def enabled?
-        @enabled
+      # @return true if bindirs from “gem environment” should be added to sandbox.
+      def gem_env_paths?
+        @gem_env_paths
       end
 
       # Enable Ruby feature set.
@@ -46,13 +77,12 @@ class Bwrap::Config
       #
       # @note This does not allow development headers needed for compilation for now.
       #   I’ll look at it after I have an use for it.
+      #
+      # @note Also enables {Nscd} feature.
       def enable
-        @enabled = true
-      end
+        super
 
-      # Disable Ruby feature set.
-      def disable
-        @enabled = false
+        @features.nscd.enable
       end
 
       # @see #stdlib
@@ -70,12 +100,17 @@ class Bwrap::Config
 
     # @return [Bash] Instance of feature class for Bash
     def bash
-      @bash ||= Bash.new
+      @bash ||= Bash.new self
+    end
+
+    # @return [Nscd] Instance of feature class for nscd
+    def nscd
+      @nscd ||= Nscd.new self
     end
 
     # @return [Ruby] Instance of feature class for Ruby
     def ruby
-      @ruby ||= Ruby.new
+      @ruby ||= Ruby.new self
     end
   end
 end

data/lib/bwrap/config.rb

@@ -18,8 +18,45 @@ require_relative "config/features"
 #
 # @todo Add some documentation about syntax where necessary, like for #binaries_from.
 class Bwrap::Config
+  # Array of audio schemes usable inside chroot.
+  #
+  # Currently supports:
+  #   - :pulseaudio
+  #
+  attr_accessor :audio
+
+  # Set to `true` if command given to {Bwrap::Bwrap#run} is expected to
+  # be inside sandbox, and not bound from host.
+  #
+  # @return [Boolean] `true` if executed command is inside sandbox
+  attr_accessor :command_inside_root
+
+  attr_accessor :extra_executables
+
+  # TODO: IIRC this doesn’t match the reality any more. So write correct documentation.
+  #
+  # Causes libraries required by the executable given to {Bwrap#run} to be
+  # mounted inside sandbox.
+  #
+  # Often it is enough to use this flag instead of binding all system libraries
+  # using {#libdir_mounts=}
+  #
+  # @return [Boolean] true if Linux library loaders are mounted inside chroot
+  attr_accessor :full_system_mounts
+
   attr_accessor :hostname
 
+  # Set to true if basic system directories, like /usr/lib and /usr/lib64,
+  # should be bound inside chroot.
+  #
+  # /usr/bin can be mounted using {Config#binaries_from=}.
+  #
+  # Often it is enough to use {#full_system_mounts=} instead of binding all
+  # system libraries using this flag.
+  #
+  # @return [Boolean] true if libdirs are mounted to the chroot
+  attr_accessor :libdir_mounts
+
   # What should be used as /etc/machine_id file.
   #
   # If not specified, no /etc/machine_id handling is done.
@@ -34,6 +71,9 @@ class Bwrap::Config
   #   Given file as bound as /etc/machine_id.
   attr_accessor :machine_id
 
+  # @return [Boolean] true if network should be shared from host.
+  attr_accessor :share_net
+
   # Name of the user inside chroot.
   #
   # This is optional and defaults to no user.
@@ -45,46 +85,23 @@ class Bwrap::Config
   # @return [Boolean] Whether Xorg specific binds are used.
   attr_accessor :xorg_application
 
-  # Array of audio schemes usable inside chroot.
-  #
-  # Currently supports:
-  #   - :pulseaudio
-  #
-  attr_accessor :audio
-
-  # @return [Boolean] true if network should be shared from host.
-  attr_accessor :share_net
-
-  # Causes libraries required by the executable given to {Bwrap#run} to be
-  # mounted inside sandbox.
-  #
-  # Often it is enough to use this flag instead of binding all system libraries
-  # using {#libdir_mounts=}
+  # Array of directories to be bind mounted in sandbox.
   #
-  # @return [Boolean] true if Linux library loaders are mounted inside chroot
-  attr_accessor :full_system_mounts
-
-  # Set to true if basic system directories, like /usr/lib and /usr/lib64,
-  # should be bound inside chroot.
+  # Given paths are also added to PATH environment variable inside sandbox.
   #
-  # /usr/bin can be mounted using {Config#binaries_from=}.
+  # @hint At least on SUSE, many executables are symlinks to /etc/alternatives/*,
+  #   which in turn symlinks to versioned executable under the same bindir.
+  #   To use these executables, /etc/alternatives should also be bound:
   #
-  # Often it is enough to use {#full_system_mounts=} instead of binding all
-  # system libraries using this flag.
+  #       config.ro_binds["/etc/alternatives"] = "/etc/alternatives"
   #
-  # @return [Boolean] true if libdirs are mounted to the chroot
-  attr_accessor :libdir_mounts
+  # @return [Array] Paths to directories where binaries are looked from.
+  attr_reader :binaries_from
 
-  # Set to `true` if command given to {Bwrap::Bwrap#run} is expected to
-  # be inside sandbox, and not bound from host.
+  # Paths to be added to sandbox instance’s PATH environment variable.
   #
-  # @return [Boolean] `true` if executed command is inside sandbox
-  attr_accessor :command_inside_root
-
-  attr_accessor :extra_executables
-
-  # Array of directories to be bind mounted and used to construct PATH environment variable.
-  attr_reader :binaries_from
+  # @see #add_env_path
+  attr_reader :env_paths
 
   # TODO: Document this.
   # TODO: I wonder if this should just be removed. I don’t know, this is a bit ...
@@ -116,16 +133,12 @@ class Bwrap::Config
   #   @param dir Path to temporary directory
   attr_reader :tmpdir
 
-  # Paths to be added to sandbox instance’s PATH environment variable.
-  #
-  # @see #add_env_path
-  attr_reader :env_paths
-
   def initialize
-    @binaries_from = []
-    @tmpdir = Dir.tmpdir
     @audio = []
+    @binaries_from = []
     @env_paths = []
+    @ro_binds = {}
+    @tmpdir = Dir.tmpdir
   end
 
   def binaries_from= array

data/lib/bwrap/execution/execution.rb

@@ -91,14 +91,14 @@ module Bwrap::Execution
   # execute commands.
   #
   # @see .do_execute .do_execute for documentation of argument syntax
-  private def execute *args
+  private def execute *args, **kwargs
     # Mangle proper location to error message.
-    if args.last.is_a? Hash
-      args.last[:log_callback] = 3
+    if kwargs.is_a? Hash
+      kwargs[:log_callback] = 3
     else
-      args << { log_callback: 3 }
+      kwargs = { log_callback: 3 }
     end
-    Bwrap::Execution.do_execute(*args)
+    Bwrap::Execution.do_execute(*args, **kwargs)
   end
 
   # Same as ::execute, but uses log: false to avoid unnecessary output when we’re just getting a
@@ -106,7 +106,7 @@ module Bwrap::Execution
   #
   # Defaults to fail: false, since when one just wants to get the value, there is not that much
   # need to unconditionally die if getting bad exit code.
-  private def execvalue *args, fail: false, rootcmd: nil, env: {}
+  private def execvalue *args, fail: false, log: false, **kwargs
     # This logging handling is a bit of duplication from execute(), but to be extra safe, it is duplicated.
     # The debug message contents will always be evaluated, so can just do it like this.
     log_command = args[0].respond_to?(:join) && args[0].join(" ") || args[0]
@@ -121,7 +121,7 @@ module Bwrap::Execution
       return
     end
     trace "Execvaluing “#{log_command}” at #{caller_locations(1, 1)[0]}"
-    execute(*args, fail: fail, log: false, rootcmd: rootcmd, env: env)
+    execute(*args, fail: fail, log: log, **kwargs)
   end
 
   private def exec_success?

data/lib/bwrap/execution.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative "bwrap_module"
+
 # Declare Execution module here so Bwrap::Execution module is
 # already declared for Execution module classes, to avoid
 # a circular dependency.

data/lib/bwrap/output/log.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
-# force_encoding modifies string, so can’t freeze strings.
-
 # Logging methods.
+#
+# @note One should require "bwrap/output" instead of this file directly, even
+#   if using only methods from this class.
+#
+#   This is because Bwrap::Output module would be missing, or there could be
+#   a circular dependency, which is always bad, even if Ruby would break it for you.
 class Bwrap::Output::Log
   @@log_file = nil
 
@@ -29,6 +33,10 @@ class Bwrap::Output::Log
 
   # Starts logging to given file.
   def self.log_to_file log_path
+    unless File.writable? log_path
+      warn "Given log file #{log_path} is not writable by current user."
+      return
+    end
     log_file = File.open log_path, "w"
 
     # In default mode, log messages disappears as Ruby’s own buffer gets full.

data/lib/bwrap/output/output_impl.rb

@@ -3,6 +3,7 @@
 # Have variables like $CHILD_STATUS which is alias of $?.
 require "English"
 
+require "bwrap/bwrap_module"
 require "bwrap/execution/labels"
 
 require_relative "levels"

data/lib/bwrap/output.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative "bwrap_module"
+
 # Declare Output module here so Bwrap::Output module is
 # already declared for Output module classes, to avoid
 # a circular dependency.

data/lib/bwrap/version.rb

@@ -2,7 +2,7 @@
 
 module Bwrap
   # Current version of bwrap.
-  VERSION = "1.0.0-beta1"
+  VERSION = "1.0.0-beta2"
 end
 
 require "deep-cover" if ENV["DEEP_COVER"]

data/lib/bwrap.rb

@@ -1,28 +1,3 @@
 # frozen_string_literal: true
 
-require "bwrap/bwrap"
-
-# ruby-bwrap provides easy-to-use interface to run complex programs in sandboxes created with
-# {https://github.com/containers/bubblewrap bubblewrap}.
-#
-# To run a program inside bubblewrap, a wrapper executable can be created. For example:
-#
-#     require "bwrap"
-#
-#     config = Bwrap::Config.new
-#     config.user = "dummy_user"
-#     config.full_system_mounts = true
-#     config.binaries_from = %w{
-#       /bin
-#       /usr/bin
-#     }
-#
-#     bwrap = Bwrap::Bwrap.new config
-#     bwrap.parse_command_line_arguments
-#     bwrap.run "/bin/true"
-#
-# There also are few generic utilities, {Bwrap::Output} for handling output of scripts and
-# {Bwrap::Execution} to run executables.
-module Bwrap
-  # Empty module.
-end
+require "bwrap/bwrap"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bwrap
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.beta1
+  version: 1.0.0.pre.beta2
 platform: ruby
 authors:
 - Samu Voutilainen
@@ -34,7 +34,7 @@ cert_chain:
   X4ioQwEn1/9tHs19VO1CLF58451HgEo1BXd7eWLmV1V5cqw0YWok1ly4L/Su/Phf
   MRxVMHiVAqY=
   -----END CERTIFICATE-----
-date: 2021-12-12 00:00:00.000000000 Z
+date: 2022-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -129,6 +129,7 @@ files:
 - lib/bwrap/args/machine_id.rb
 - lib/bwrap/args/mount.rb
 - lib/bwrap/bwrap.rb
+- lib/bwrap/bwrap_module.rb
 - lib/bwrap/config.rb
 - lib/bwrap/config/features.rb
 - lib/bwrap/execution.rb