this post was submitted on 20 Jun 2023
9 points (100.0% liked)

Arch Linux

7791 readers
5 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS
 

I want to sandbox things like Steam, Discord and even firefox and I see bubblwrap getting recommended a lot as the preferred sandboxing tool but I'm hardpressed on how to actually use it. I don't know what to enable and what not to.

PS. Please don't recommend Flatpak, I'm aware Flatpak uses bwrap but I want to avoid Flatpak unless absolute necessary. I don't have anything against Flatpak, just personal preference :D.

top 11 comments
sorted by: hot top controversial new old
[–] patatahooligan 4 points 1 year ago (1 children)

From what I understand, bubblewrap is supposed be configured by passing flags from the command line. It seems that the way to "configure" bubblewrap is to create wrapper scripts. For example make /usr/local/bin with the following contents

#!/usr/bin/bash
bwrap --flags-and "arguments" steam

As it's not very practical to figure out a good sandbox from scratch for each and every program you use, you probably want to find scripts from other users or tools that build on top of bubblewrap and are bundled with profiles. The wiki article has examples of both.

[–] [email protected] 1 points 1 year ago (1 children)

I see. So where can I find such scripts? I want to sandbox Steam, Discord and Firefox.

[–] patatahooligan 1 points 1 year ago

I don't use it so I don't have first-hand experience. Like I said, the wiki has some examples and links for reference.

FYI firejail comes with bundled configs for the three apps you mentioned among others. It should play with little or zero tinkering. Maybe give firejail a try if you find bubblewrap hard to setup.

[–] pseudo 1 points 1 year ago (1 children)

Comment federation is glitched, yo.

This, that. But, but, but.

¯\(°_o)/¯

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

lmao shit.

how did you find all these? Nevermind just fucking realized you are the one who commented all that lmao.

PS. I actually solved most of my issues. ChatGPT is a wizard.

[–] pseudo 1 points 1 year ago (2 children)

Here's how I run Firefox, for instance:

#!/bin/zsh

function r { for p in $@; do [[ -e $p ]] && echo --ro-bind-try $p $p; done; }
function w { for p in $@; do [[ -e $p ]] && echo --bind-try $p $p; done; }
function ln { echo --symlink $1 $2; }
function wdev { for p in $@; do echo --dev-bind-try $p $p; done; }

bwopt=(
  --unshare-pid --unshare-uts --unshare-ipc --unshare-cgroup

  --proc /proc --dev /dev --tmpfs /dev/shm --mqueue /dev/mqueue

  $(wdev /dev/dri /dev/v4l /dev/video*)
  $(r /sys/{dev,devices,bus/pci})

  --dir /var/tmp --dir /run/lock
  $(ln ../run /var/run) $(ln ../run/lock /var/lock)
  $(w /tmp/.{X11-unix,ICE-unix})

  $(r /usr/lib) $(ln usr/lib /lib64) $(ln lib /usr/lib64)
  $(r /usr/share)
  $(r /var/{cache/fontconfig,lib/dbus/machine-id})

  $(r /etc/{passwd,group,nsswitch.conf,resolv.conf,hosts,gai.conf,ld.so*})
  $(r /etc/{localtime,lsb-release,machine-id})
  $(r /etc/{ca-certificates,ssl})
  $(r /etc/{dconf,fonts,gtk-*,host.conf,xdg,mime.types,pulse})
 
  $(r ${XAUTHORITY} ${DBUS_SESSION_BUS_ADDRESS/unix:path=})
  $(w ${XDG_RUNTIME_DIR}/{ICEauthority,dconf,pulse,gvfsd,wayland-*,p11-kit,flatpak-info})

  $(w ~/.{mozilla,cache/mozilla})
  $(r ~/.cache/{fontconfig,mesa_shader_cache})
  $(r ~/.config/{dconf,fontconfig,user-dirs.dirs,gtk-*,mimeapps.list,pulse})
  $(r ~/.{fonts,local/share/{themes,icons}})

  $(w ~/down /tmp/swap)
)

exec nice \
  systemd-run --quiet --user --scope --slice=firefox.slice \
  bwrap --args 9 9< <(printf $'%s\0' $bwopt) \
  -- /usr/lib/firefox/firefox $@

Using this for about 5 years. Ran strace on a session to see what to allow access to. It's got full access to /lib and too much access to /sys b/c I'm lazy, but it can not see any executables or most of ~.

I'm using something similar whenever I want to precisely isolate a program.

[–] [email protected] 1 points 1 year ago (1 children)

Thank you for this. But if I may ask can you tell me what some of these options do? I can understand what some of these do just by looking, like giving directory access.

Will this work on my system where I use a combo of Wayland + Pipewire?

[–] pseudo 1 points 1 year ago* (last edited 1 year ago)

Thank you for this. But if I may ask can you tell me what some of these options do? I can understand what some of these do just by looking, like giving directory access.

Check bwrap(1) for details, it's all there.

Will this work on my system where I use a combo of Wayland + Pipewire?

Yes, and yes.

[–] [email protected] 1 points 1 year ago (1 children)

How do I use this btw? I pasted this on an executable and it says Permission Denied.

[–] pseudo 1 points 1 year ago

It's a shell script, right? Save the text as a <FILE>, chmod +x <FILE>, ./<FILE>.

You might not have zsh, in which case you need to replace shebang (#!/bin/zsh) with bash and fix what breaks (IIRC you can't quite do a printf like that in bash).

It works by constructing an array of argument strings — which you can see with echo $bwopt — and printing it, concatenated using \0 as a separator. It's printed to a file descriptor, open as fd 9 in the child process. Alternatively, you can just give bwrap those arguments directly (bwrap $bwopt).

[–] Zenzio 1 points 1 year ago* (last edited 1 year ago)

I don't have any experience with Bubblewrap. Is it what people tend to use instead of its alternatives? Have you had a look at Firejail? I think it does what you are trying to achieve and has a lot of these preconfigured scripts for a variety of the applications you might use (they call them profiles). https://wiki.archlinux.org/title/Firejail From the archwiki:

Most users will not require any custom configuration and can proceed to #Usage.

Firejail uses profiles to set the security protections for each of the applications executed inside of it - you can find the default profiles in /etc/firejail/application.profile. Should you require custom profiles for applications not included, or wish to modify the defaults, you may place new rules or copies of the defaults in the ~/.config/firejail directory. You may have multiple custom profile files for a single application, and you may share the same profile file among several applications.

If firejail does not have a profile for a particular application, it uses its restrictive system-wide default profile. This can result in the application not functioning as desired, without first creating a custom and less restrictive profile.

It also has support for use in conjunction with Apparmor: https://wiki.archlinux.org/title/Firejail#Enable_AppArmor_support

Note: A lot of applications won't have any read or write access anywhere but /home/$USER/Downloads. So one example from me would be that I copied the Firefox profile from /etc/firejail/firefox.local to /home/$USER/firejail/firefox.local and edited the latter to allow Firefox access to /home/$USER/Pictures for the sake of convenience when saving a picture.

Just my two cents in case you are not dead set on Bubblewrap.

load more comments
view more: next ›