1 from bubblebox import *
3 # Various default sandbox settings
4 DEFAULT = collect_flags(
6 bwrap_flags("--unshare-all", "--share-net", "--hostname", "bubblebox"),
8 bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"),
9 # an empty XDG_RUNTIME_DIR
10 bwrap_flags("--perms", "0700", "--dir", XDG_RUNTIME_DIR),
12 bwrap_flags("--symlink", "usr/lib", "/lib", "--symlink", "usr/lib64", "/lib64", "--symlink", "usr/bin", "/bin", "--symlink", "usr/sbin", "/sbin"),
13 # folders we always need access to
14 host_access({ ("/usr", "/sys", "/etc"): Access.Read }),
15 # make a basic shell work
17 (".bashrc", ".bash_aliases", ".profile"): Access.Read,
22 # https://github.com/igo95862/bubblejail is a good source of paths that need allowing.
23 # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
27 # Share XDG_RUNTIME_DIR among all instances of this sandbox
28 shared_runtime_dir(name),
29 # Access to screen and audio
32 ("dri", "snd"): Access.Device,
34 "/tmp/.X11-unix/": Access.Read,
35 os.environ["XAUTHORITY"]: Access.Read,
37 ("wayland*", "pulse"): Access.Read,
40 # Access to some key user configuration
42 (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
44 # Access to basic d-bus services (that are hopefully safe to expose...)
45 dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),
46 # Make it possible to open websites in Firefox
47 home_access({ ".mozilla/firefox/profiles.ini": Access.Read }),
48 dbus_proxy_flags("--talk=org.mozilla.firefox.*"),
projects / bubblebox.git / blob