cannot unshare IPC as that breaks some wine applications
[bubblebox.git] / profiles.py
index decab8696b7976160aa9930aa3d36bee8d9ba3f3..8505fe6bae200e558127f1ba8b81dc80a80038cc 100644 (file)
@@ -3,7 +3,11 @@ from bubblebox import *
 # Various default sandbox settings
 DEFAULT = collect_flags(
   # namespace unsharing
-  bwrap_flags("--unshare-all", "--share-net", "--hostname", "bubblebox"),
+  # cannot unshare IPC as that breaks some wine applications
+  bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"),
+  # A different hostname is useful to be able to see when we are inside the sandbox.
+  # However, some applications will not like this unless the hostname also exists in `/etc/hosts`!
+  bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
   # basic directories
   bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"),
   # an empty XDG_RUNTIME_DIR
@@ -21,25 +25,29 @@ DEFAULT = collect_flags(
 
 # https://github.com/igo95862/bubblejail is a good source of paths that need allowing.
 # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
-DESKTOP = collect_flags(
-  # Access to screen and audio
-  host_access({
-    "dev": {
-      ("dri", "snd"): Access.Device,
-    },
-    "/tmp/.X11-unix/": Access.Read,
-    os.environ["XAUTHORITY"]: Access.Read,
-    XDG_RUNTIME_DIR: {
-      ("wayland*", "pulse"): Access.Read,
-    },
-  }),
-  # Access to some key user configuration
-  home_access({
-    (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
-  }),
-  # Access to basic d-bus services (that are hopefully safe to expose...)
-  dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),
-  # Make it possible to open websites in Firefox
-  home_access({ ".mozilla/firefox/profiles.ini": Access.Read }),
-  dbus_proxy_flags("--talk=org.mozilla.firefox.*"),
-)
+def DESKTOP(name):
+  return collect_flags(
+    DEFAULT,
+    # Share XDG_RUNTIME_DIR among all instances of this sandbox
+    shared_runtime_dir(name),
+    # Access to screen and audio
+    host_access({
+      "dev": {
+        ("dri", "snd"): Access.Device,
+      },
+      "/tmp/.X11-unix/": Access.Read,
+      os.environ["XAUTHORITY"]: Access.Read,
+      XDG_RUNTIME_DIR: {
+        ("wayland*", "pulse"): Access.Read,
+      },
+    }),
+    # Access to some key user configuration
+    home_access({
+      (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
+    }),
+    # Access to basic d-bus services (that are hopefully safe to expose...)
+    dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),
+    # Make it possible to open websites in Firefox
+    home_access({ ".mozilla/firefox/profiles.ini": Access.Read }),
+    dbus_proxy_flags("--talk=org.mozilla.firefox.*"),
+  )