Remove support for setuid mode

README.md

@@ -17,19 +17,9 @@ There is an feature in the Linux kernel called
 which allows unprivileged users to use container features. Bubblewrap uses these to
 build the sandbox, allowing any user to use the tool.
 
-Historically, not all Linux distributions supported (at least by
-default) unprivileged user namespaces, so bubblewrap supports a second
-mode of operation when the binary is setuid root. In that setup
-bubblewrap could be viewed as setuid implementation of a *subset* of
-user namespaces. However, not all features of bubblewrap work in
-this mode.
-
-However, setuid mode is deprecated, as most recent Linux distributions
-support unprivileged user namespaces, and setuid binaries carry
-significant risks. By default, bubblewrap binaries refuse to work if
-setuid, and you must build explicitly with ` -Dsupport_setuid=true` to
-enable it to work. Later versions of bubblewrap aims to completely
-remove this support.
+Historically, bubblewrap also supported a setuid mode for systems where
+unprivileged user namespaces were not supported. However, this has been
+removed.
 
 The original bubblewrap code existed before user namespaces - it inherits code from
 [xdg-app helper](https://cgit.freedesktop.org/xdg-app/xdg-app/tree/common/xdg-app-helper.c?id=4c3bf179e2e4a2a298cd1db1d045adaf3f564532)

SECURITY.md

@@ -4,23 +4,15 @@ The bubblewrap Project follows the [Security and Disclosure Information Policy](
 
 ### System security
 
-If bubblewrap is setuid root, then the goal is that it does not allow
-a malicious local user to do anything that would not have been possible
-on a kernel that allows unprivileged users to create new user namespaces.
-For example, [CVE-2020-5291](https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj)
-was treated as a security vulnerability in bubblewrap.
-
-If bubblewrap is not setuid root, then it is not a security boundary
-between the user and the OS, because anything bubblewrap could do, a
-malicious user could equally well do by writing their own tool equivalent
-to bubblewrap.
-
-Since 0.11.2, unless compiled with the `-Dsupport_setuid=true` option,
-setuid root support is disabled. In this mode bubblewrap will refuse
-to operate if the binary has been made setuid. For binaries built like
-this it is safe to ignore any bubblewrap CVEs that are described as
-affecting setuid mode only. This is the recommended way to package
-bubblewrap.
+bubblewrap is not a security boundary between the user and the OS,
+because anything bubblewrap could do, a malicious user could equally
+well do by writing their own tool equivalent to bubblewrap.
+
+Older versions of bubblewrap were optionally setuid root. This is a
+system security risk. See
+https://github.com/containers/bubblewrap/blob/v0.11.2/SECURITY.md#system-security
+for discussion of this historical configuration. Newer versions of
+bubblewrap refuse to operate if the binary has been made setuid.
 
 ### Sandbox security