this post was submitted on 20 Jun 2023
3 points (100.0% liked)

Arch Linux

7726 readers
14 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS
[email protected]
3
How to properly use bubblwrap? (vlemmy.net)
submitted 1 year ago by [email protected] to c/[email protected]
6 comments fedilink hide all child comments
 

I want to sandbox things like Steam, Discord and even firefox and I see bubblwrap getting recommended a lot as the preferred sandboxing tool but I'm hardpressed on how to actually use it. I don't know what to enable and what not to.

PS. Please don't recommend Flatpak, I'm aware Flatpak uses bwrap but I want to avoid Flatpak unless absolute necessary. I don't have anything against Flatpak, just personal preference :D.

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 year ago

From what I understand, bubblewrap is supposed be configured by passing flags from the command line. It seems that the way to "configure" bubblewrap is to create wrapper scripts. For example make /usr/local/bin with the following contents

#!/usr/bin/bash
bwrap --flags-and "arguments" steam

As it's not very practical to figure out a good sandbox from scratch for each and every program you use, you probably want to find scripts from other users or tools that build on top of bubblewrap and are bundled with profiles. The wiki article has examples of both.

[–] [email protected] 1 points 1 year ago (1 children)

Here's how I run Firefox, for instance:

#!/bin/zsh

function r { for p in $@; do [[ -e $p ]] && echo --ro-bind-try $p $p; done; }
function w { for p in $@; do [[ -e $p ]] && echo --bind-try $p $p; done; }
function ln { echo --symlink $1 $2; }
function wdev { for p in $@; do echo --dev-bind-try $p $p; done; }

bwopt=(
  --unshare-pid --unshare-uts --unshare-ipc --unshare-cgroup

  --proc /proc --dev /dev --tmpfs /dev/shm --mqueue /dev/mqueue

  $(wdev /dev/dri /dev/v4l /dev/video*)
  $(r /sys/{dev,devices,bus/pci})

  --dir /var/tmp --dir /run/lock
  $(ln ../run /var/run) $(ln ../run/lock /var/lock)
  $(w /tmp/.{X11-unix,ICE-unix})

  $(r /usr/lib) $(ln usr/lib /lib64) $(ln lib /usr/lib64)
  $(r /usr/share)
  $(r /var/{cache/fontconfig,lib/dbus/machine-id})

  $(r /etc/{passwd,group,nsswitch.conf,resolv.conf,hosts,gai.conf,ld.so*})
  $(r /etc/{localtime,lsb-release,machine-id})
  $(r /etc/{ca-certificates,ssl})
  $(r /etc/{dconf,fonts,gtk-*,host.conf,xdg,mime.types,pulse})
 
  $(r ${XAUTHORITY} ${DBUS_SESSION_BUS_ADDRESS/unix:path=})
  $(w ${XDG_RUNTIME_DIR}/{ICEauthority,dconf,pulse,gvfsd,wayland-*,p11-kit,flatpak-info})

  $(w ~/.{mozilla,cache/mozilla})
  $(r ~/.cache/{fontconfig,mesa_shader_cache})
  $(r ~/.config/{dconf,fontconfig,user-dirs.dirs,gtk-*,mimeapps.list,pulse})
  $(r ~/.{fonts,local/share/{themes,icons}})

  $(w ~/down /tmp/swap)
)

exec nice \
  systemd-run --quiet --user --scope --slice=firefox.slice \
  bwrap --args 9 9< <(printf $'%s\0' $bwopt) \
  -- /usr/lib/firefox/firefox $@

Using this for about 5 years. Ran strace on a session to see what to allow access to. It's got full access to /lib and too much access to /sys b/c I'm lazy, but it can not see any executables or most of ~.

I'm using something similar whenever I want to precisely isolate a program.

[–] [email protected] 1 points 1 year ago

How do I use this btw? I pasted this on an executable and it says Permission Denied.

[–] [email protected] 1 points 1 year ago (1 children)

Comment federation is glitched, yo.

This, that. But, but, but.

¯\(°_o)/¯

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

lmao shit.

how did you find all these? Nevermind just fucking realized you are the one who commented all that lmao.

PS. I actually solved most of my issues. ChatGPT is a wizard.

load more comments
view more: next ›