profiles.py

   1 from bubblebox import *
   2
   3 # Various default sandbox settings
   4 DEFAULT = group(
   5   # namespace unsharing
   6   # cannot unshare IPC as that breaks some wine applications
   7   bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"),
   8   # A different hostname is useful to be able to see when we are inside the sandbox.
   9   # However, some applications will not like this unless the hostname also exists in `/etc/hosts`!
  10   # Also, gnome-shell doesn't display window icons properly when this is set.
  11   #bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
  12   # Make sure the sandbox cannot inject commands into the host terminal.
  13   # TODO: This flag breaks some CLI applications, like job control in shells.
  14   # Consider using SECCOMP instead.
  15   # Possible code to use for that: <https://gist.github.com/sloonz/4b7f5f575a96b6fe338534dbc2480a5d#file-sandbox-py-L129>
  16   # There is also a good list of possible-syscalls-to-block at
  17   # <https://github.com/flatpak/flatpak/blob/f16e064fd9454fb8f754b769ad1ffce0e42b51db/common/flatpak-run.c#L1791>.
  18   bwrap_flags("--new-session"),
  19   # basic directories
  20   bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"),
  21   # an empty XDG_RUNTIME_DIR
  22   bwrap_flags("--perms", "0700", "--dir", XDG_RUNTIME_DIR),
  23   # merged-usr symlinks
  24   bwrap_flags("--symlink", "usr/lib", "/lib", "--symlink", "usr/lib64", "/lib64", "--symlink", "usr/bin", "/bin", "--symlink", "usr/sbin", "/sbin"),
  25   # folders we always need access to
  26   host_access({ ("/usr", "/sys", "/etc"): Access.Read }),
  27   # make a basic shell work
  28   home_access({
  29     (".bashrc", ".bash_aliases", ".profile"): Access.Read,
  30     "bin": Access.Read,
  31   }),
  32 )
  33
  34 def X11():
  35   display = os.environ["DISPLAY"].removeprefix(":").split('.')[0]
  36   return host_access({
  37       "/tmp/.X11-unix/": {
  38         "X"+display: Access.Read,
  39       },
  40       os.environ["XAUTHORITY"]: Access.Read,
  41   })
  42
  43 # https://github.com/igo95862/bubblejail/blob/master/src/bubblejail/services.py is a good source of paths that need allowing.
  44 # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
  45 def DESKTOP(name):
  46   return group(
  47     DEFAULT,
  48     # Share XDG_RUNTIME_DIR among all instances of this sandbox
  49     shared_runtime_dir(name),
  50     # Access to display servers, hardware acceleration, and audio
  51     host_access({
  52       "dev": {
  53         ("dri", "snd"): Access.Device,
  54       },
  55       XDG_RUNTIME_DIR: {
  56         (os.environ["WAYLAND_DISPLAY"], "pulse"): Access.Read,
  57       },
  58     }),
  59     X11(),
  60     # Access to some key user configuration.
  61     # We set GSETTINGS_BACKEND to make GTK3 apps use the config file in ~/.config/glib-2.0.
  62     # (The "right" solution here is probably the settings portal...)
  63     home_access({
  64       (".config/fontconfig", ".config/glib-2.0", ".XCompose", ".local/share/applications"): Access.Read,
  65     }),
  66     bwrap_flags("--setenv", "GSETTINGS_BACKEND", "keyfile"),
  67     # Access to basic d-bus services (that are hopefully safe to expose...)
  68     dbus_proxy_flags(
  69       "--call=org.kde.StatusNotifierWatcher=@/StatusNotifierWatcher",
  70       "--call=org.freedesktop.Notifications=@/org/freedesktop/Notifications",
  71       "--call=org.freedesktop.ScreenSaver=@/org/freedesktop/ScreenSaver",
  72       "--call=org.freedesktop.ScreenSaver=@/ScreenSaver",
  73       "--talk=org.freedesktop.portal.*",
  74     ),
  75     # Make it possible to open websites in Firefox
  76     home_access({ ".mozilla/firefox/profiles.ini": Access.Read }),
  77     dbus_proxy_flags("--call=org.mozilla.firefox.*=@/org/mozilla/firefox/Remote"),
  78   )