recommend bubblejail for people that want a more ouf-of-the-box experience

[bubblebox.git] / profiles.py

diff --git a/profiles.py b/profiles.py
index 8505fe6bae200e558127f1ba8b81dc80a80038cc..31528988ec73c32ffd088d50a5383a9397708866 100644 (file)
--- a/profiles.py
+++ b/profiles.py
@@ -1,13 +1,20 @@
 from bubblebox import *
 
 # Various default sandbox settings
 from bubblebox import *
 
 # Various default sandbox settings

-DEFAULT = collect_flags(
+DEFAULT = group(

   # namespace unsharing
   # cannot unshare IPC as that breaks some wine applications
   bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"),
   # A different hostname is useful to be able to see when we are inside the sandbox.
   # However, some applications will not like this unless the hostname also exists in `/etc/hosts`!
   bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
   # namespace unsharing
   # cannot unshare IPC as that breaks some wine applications
   bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"),
   # A different hostname is useful to be able to see when we are inside the sandbox.
   # However, some applications will not like this unless the hostname also exists in `/etc/hosts`!
   bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),

+  # Make sure the sandbox cannot inject commands into the host terminal.
+  # TODO: This flag breaks some CLI applications, like job control in shells.
+  # Consider using SECCOMP instead.
+  # Possible code to use for that: <https://gist.github.com/sloonz/4b7f5f575a96b6fe338534dbc2480a5d#file-sandbox-py-L129>
+  # There is also a good list of possible-syscalls-to-block at
+  # <https://github.com/flatpak/flatpak/blob/f16e064fd9454fb8f754b769ad1ffce0e42b51db/common/flatpak-run.c#L1791>.
+  bwrap_flags("--new-session"),

   # basic directories
   bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"),
   # an empty XDG_RUNTIME_DIR
   # basic directories
   bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"),
   # an empty XDG_RUNTIME_DIR


@@ -23,24 +30,32 @@ DEFAULT = collect_flags(
   }),
 )
 
   }),
 )
 

+def X11():
+  display = os.environ["DISPLAY"].removeprefix(":").split('.')[0]
+  return host_access({
+      "/tmp/.X11-unix/": {
+        "X"+display: Access.Read,
+      },
+      os.environ["XAUTHORITY"]: Access.Read,
+  })
+

 # https://github.com/igo95862/bubblejail is a good source of paths that need allowing.
 # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
 def DESKTOP(name):
 # https://github.com/igo95862/bubblejail is a good source of paths that need allowing.
 # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
 def DESKTOP(name):

-  return collect_flags(
+  return group(

     DEFAULT,
     # Share XDG_RUNTIME_DIR among all instances of this sandbox
     shared_runtime_dir(name),
     DEFAULT,
     # Share XDG_RUNTIME_DIR among all instances of this sandbox
     shared_runtime_dir(name),

-    # Access to screen and audio
+    # Access to display servers, hardware acceleration, and audio

     host_access({
       "dev": {
         ("dri", "snd"): Access.Device,
       },
     host_access({
       "dev": {
         ("dri", "snd"): Access.Device,
       },

-      "/tmp/.X11-unix/": Access.Read,
-      os.environ["XAUTHORITY"]: Access.Read,

       XDG_RUNTIME_DIR: {
       XDG_RUNTIME_DIR: {

-        ("wayland*", "pulse"): Access.Read,
+        (os.environ["WAYLAND_DISPLAY"], "pulse"): Access.Read,

       },
     }),
       },
     }),

+    X11(),

     # Access to some key user configuration
     home_access({
       (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
     # Access to some key user configuration
     home_access({
       (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,