fdb2f67ebd97c1fad0cdf5f0c5816dbd03574924
[bubblebox.git] / profiles.py
1 from bubblebox import *
2
3 # Various default sandbox settings
4 DEFAULT = collect_flags(
5   # general flags
6   bwrap_flags("--die-with-parent"),
7   # namespace unsharing
8   bwrap_flags("--unshare-all", "--share-net", "--hostname", "bwrapped"),
9   # basic directories
10   bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"),
11   # an empty XDG_RUNTIME_DIR
12   bwrap_flags("--perms", "0700", "--dir", XDG_RUNTIME_DIR),
13   # merged-usr symlinks
14   bwrap_flags("--symlink", "usr/lib", "/lib", "--symlink", "usr/lib64", "/lib64", "--symlink", "usr/bin", "/bin", "--symlink", "usr/sbin", "/sbin"),
15   # folders we always need access to
16   ro_host_access("/usr", "/sys", "/etc"),
17   # make a basic shell work
18   ro_host_access(*globexpand(HOME, [".bashrc", ".bash_aliases", ".profile", "bin"])),
19 )
20
21 # https://github.com/igo95862/bubblejail is a good source of paths that need allowing.
22 # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
23 DESKTOP = collect_flags(
24   # Access to screen and audio
25   dev_host_access("/dev/dri", "/dev/snd"),
26   ro_host_access("/tmp/.X11-unix/", os.environ["XAUTHORITY"]),
27   ro_host_access(*globexpand(XDG_RUNTIME_DIR, ["wayland*", "pulse"])),
28   # Access to some key global configuration
29   ro_host_access(*globexpand(HOME, [".config/fontconfig", ".XCompose"])),
30   # Access to basic d-bus services (that are hopefully safe to expose...)
31   dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),
32   # Make it possible to open websites in Firefox
33   ro_host_access(*globexpand(HOME, [".mozilla/firefox/profiles.ini", ".local/share/applications"])),
34   dbus_proxy_flags("--talk=org.mozilla.firefox.*"),
35 )