X-Git-Url: https://git.ralfj.de/bubblebox.git/blobdiff_plain/dfdb1dd9225a3dfaa21da22274f376bdbddada75..249a3635c23a8a543459fd084faf7ddb4241b06d:/profiles.py?ds=sidebyside diff --git a/profiles.py b/profiles.py index cf87845..18c3116 100644 --- a/profiles.py +++ b/profiles.py @@ -1,7 +1,7 @@ from bubblebox import * # Various default sandbox settings -DEFAULT = collect_flags( +DEFAULT = group( # namespace unsharing # cannot unshare IPC as that breaks some wine applications bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"), @@ -9,6 +9,11 @@ DEFAULT = collect_flags( # However, some applications will not like this unless the hostname also exists in `/etc/hosts`! bwrap_flags("--unshare-uts", "--hostname", "bubblebox"), # Make sure the sandbox cannot inject commands into the host terminal. + # TODO: This flag breaks some CLI applications, like job control in shells. + # Consider using SECCOMP instead. + # Possible code to use for that: + # There is also a good list of possible-syscalls-to-block at + # . bwrap_flags("--new-session"), # basic directories bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"), @@ -28,7 +33,7 @@ DEFAULT = collect_flags( # https://github.com/igo95862/bubblejail is a good source of paths that need allowing. # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html). def DESKTOP(name): - return collect_flags( + return group( DEFAULT, # Share XDG_RUNTIME_DIR among all instances of this sandbox shared_runtime_dir(name), @@ -37,10 +42,12 @@ def DESKTOP(name): "dev": { ("dri", "snd"): Access.Device, }, - "/tmp/.X11-unix/": Access.Read, + "/tmp/.X11-unix/": { + "X"+os.environ["DISPLAY"].removeprefix(":"): Access.Read, + }, os.environ["XAUTHORITY"]: Access.Read, XDG_RUNTIME_DIR: { - ("wayland*", "pulse"): Access.Read, + (os.environ["WAYLAND_DISPLAY"], "pulse"): Access.Read, }, }), # Access to some key user configuration