X-Git-Url: https://git.ralfj.de/bubblebox.git/blobdiff_plain/986fb26e3adc4e486a1df52bc7c5c03cc00c95c3..e2fdf6fe578fba653b6941a6d8c726ac99f60ff8:/profiles.py diff --git a/profiles.py b/profiles.py index 70e8b81..3152898 100644 --- a/profiles.py +++ b/profiles.py @@ -9,6 +9,11 @@ DEFAULT = group( # However, some applications will not like this unless the hostname also exists in `/etc/hosts`! bwrap_flags("--unshare-uts", "--hostname", "bubblebox"), # Make sure the sandbox cannot inject commands into the host terminal. + # TODO: This flag breaks some CLI applications, like job control in shells. + # Consider using SECCOMP instead. + # Possible code to use for that: + # There is also a good list of possible-syscalls-to-block at + # . bwrap_flags("--new-session"), # basic directories bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"), @@ -25,6 +30,15 @@ DEFAULT = group( }), ) +def X11(): + display = os.environ["DISPLAY"].removeprefix(":").split('.')[0] + return host_access({ + "/tmp/.X11-unix/": { + "X"+display: Access.Read, + }, + os.environ["XAUTHORITY"]: Access.Read, + }) + # https://github.com/igo95862/bubblejail is a good source of paths that need allowing. # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html). def DESKTOP(name): @@ -32,17 +46,16 @@ def DESKTOP(name): DEFAULT, # Share XDG_RUNTIME_DIR among all instances of this sandbox shared_runtime_dir(name), - # Access to screen and audio + # Access to display servers, hardware acceleration, and audio host_access({ "dev": { ("dri", "snd"): Access.Device, }, - "/tmp/.X11-unix/": Access.Read, - os.environ["XAUTHORITY"]: Access.Read, XDG_RUNTIME_DIR: { - ("wayland*", "pulse"): Access.Read, + (os.environ["WAYLAND_DISPLAY"], "pulse"): Access.Read, }, }), + X11(), # Access to some key user configuration home_access({ (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,