X-Git-Url: https://git.ralfj.de/bubblebox.git/blobdiff_plain/f0b992053c113a3575728bceb0444756a33d659d..986fb26e3adc4e486a1df52bc7c5c03cc00c95c3:/profiles.py diff --git a/profiles.py b/profiles.py index ff685f9..70e8b81 100644 --- a/profiles.py +++ b/profiles.py @@ -1,11 +1,15 @@ from bubblebox import * # Various default sandbox settings -DEFAULT = collect_flags( - # general flags - bwrap_flags("--die-with-parent"), +DEFAULT = group( # namespace unsharing - bwrap_flags("--unshare-all", "--share-net", "--hostname", "bwrapped"), + # cannot unshare IPC as that breaks some wine applications + bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"), + # A different hostname is useful to be able to see when we are inside the sandbox. + # However, some applications will not like this unless the hostname also exists in `/etc/hosts`! + bwrap_flags("--unshare-uts", "--hostname", "bubblebox"), + # Make sure the sandbox cannot inject commands into the host terminal. + bwrap_flags("--new-session"), # basic directories bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"), # an empty XDG_RUNTIME_DIR @@ -23,27 +27,29 @@ DEFAULT = collect_flags( # https://github.com/igo95862/bubblejail is a good source of paths that need allowing. # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html). -DESKTOP = collect_flags( - # Access to screen and audio - host_access({ - "dev": { - ("dri", "snd"): Access.Device, - }, - "/tmp/.X11-unix/": Access.Read, - os.environ["XAUTHORITY"]: Access.Read, - XDG_RUNTIME_DIR: { - ("wayland*", "pulse"): Access.Read, - }, - }), - # Access to some key user configuration - home_access({ - (".config/fontconfig", ".XCompose"): Access.Read, - }), - # Access to basic d-bus services (that are hopefully safe to expose...) - dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"), - # Make it possible to open websites in Firefox - home_access({ - (".mozilla/firefox/profiles.ini", ".local/share/applications"): Access.Read, - }), - dbus_proxy_flags("--talk=org.mozilla.firefox.*"), -) +def DESKTOP(name): + return group( + DEFAULT, + # Share XDG_RUNTIME_DIR among all instances of this sandbox + shared_runtime_dir(name), + # Access to screen and audio + host_access({ + "dev": { + ("dri", "snd"): Access.Device, + }, + "/tmp/.X11-unix/": Access.Read, + os.environ["XAUTHORITY"]: Access.Read, + XDG_RUNTIME_DIR: { + ("wayland*", "pulse"): Access.Read, + }, + }), + # Access to some key user configuration + home_access({ + (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read, + }), + # Access to basic d-bus services (that are hopefully safe to expose...) + dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"), + # Make it possible to open websites in Firefox + home_access({ ".mozilla/firefox/profiles.ini": Access.Read }), + dbus_proxy_flags("--talk=org.mozilla.firefox.*"), + )