bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"),
# A different hostname is useful to be able to see when we are inside the sandbox.
# However, some applications will not like this unless the hostname also exists in `/etc/hosts`!
- bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
+ # Also, gnome-shell doesn't display window icons properly when this is set.
+ #bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
# Make sure the sandbox cannot inject commands into the host terminal.
# TODO: This flag breaks some CLI applications, like job control in shells.
# Consider using SECCOMP instead.
}),
)
-# https://github.com/igo95862/bubblejail is a good source of paths that need allowing.
+def X11():
+ display = os.environ["DISPLAY"].removeprefix(":").split('.')[0]
+ return host_access({
+ "/tmp/.X11-unix/": {
+ "X"+display: Access.Read,
+ },
+ os.environ["XAUTHORITY"]: Access.Read,
+ })
+
+# https://github.com/igo95862/bubblejail/blob/master/src/bubblejail/services.py is a good source of paths that need allowing.
# We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
def DESKTOP(name):
return group(
DEFAULT,
# Share XDG_RUNTIME_DIR among all instances of this sandbox
shared_runtime_dir(name),
- # Access to screen and audio
+ # Access to display servers, hardware acceleration, and audio
host_access({
"dev": {
("dri", "snd"): Access.Device,
},
- "/tmp/.X11-unix/": {
- "X"+os.environ["DISPLAY"].removeprefix(":"): Access.Read,
- },
- os.environ["XAUTHORITY"]: Access.Read,
XDG_RUNTIME_DIR: {
(os.environ["WAYLAND_DISPLAY"], "pulse"): Access.Read,
},
}),
- # Access to some key user configuration
+ X11(),
+ # Access to some key user configuration.
+ # We set GSETTINGS_BACKEND to make GTK3 apps use the config file in ~/.config/glib-2.0.
+ # (The "right" solution here is probably the settings portal...)
home_access({
- (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
+ (".config/fontconfig", ".config/glib-2.0", ".XCompose", ".local/share/applications"): Access.Read,
}),
+ bwrap_flags("--setenv", "GSETTINGS_BACKEND", "keyfile"),
# Access to basic d-bus services (that are hopefully safe to expose...)
- dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),
+ dbus_proxy_flags(
+ "--call=org.kde.StatusNotifierWatcher=@/StatusNotifierWatcher",
+ "--call=org.freedesktop.Notifications=@/org/freedesktop/Notifications",
+ "--call=org.freedesktop.ScreenSaver=@/org/freedesktop/ScreenSaver",
+ "--call=org.freedesktop.ScreenSaver=@/ScreenSaver",
+ "--talk=org.freedesktop.portal.*",
+ ),
# Make it possible to open websites in Firefox
home_access({ ".mozilla/firefox/profiles.ini": Access.Read }),
- dbus_proxy_flags("--talk=org.mozilla.firefox.*"),
+ dbus_proxy_flags("--call=org.mozilla.firefox.*=@/org/mozilla/firefox/Remote"),
)