tool to easily sandbox Linux applications.
The primary use-case for BubbleBox is running applications that you do not trust enough
-to give them full access to hour home directory, and in particular the secret keys stored there.
+to give them full access to your home directory, and in particular the secret keys stored there.
BubbleBox is based on [bubblewrap] and [xdg-dbus-proxy] which do all of the heavy lifting.
The goals of this project are similar to [firejail], but I found firejail's configuration to be extremely hard to maintain and debug.
bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"),
# A different hostname is useful to be able to see when we are inside the sandbox.
# However, some applications will not like this unless the hostname also exists in `/etc/hosts`!
- bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
+ # Also, gnome-shell doesn't display window icons properly when this is set.
+ #bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
# Make sure the sandbox cannot inject commands into the host terminal.
# TODO: This flag breaks some CLI applications, like job control in shells.
# Consider using SECCOMP instead.
},
}),
X11(),
- # Access to some key user configuration
+ # Access to some key user configuration.
+ # We set GSETTINGS_BACKEND to make GTK3 apps use the config file in ~/.config/glib-2.0.
+ # (The "right" solution here is probably the settings portal...)
home_access({
- (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
+ (".config/fontconfig", ".config/glib-2.0", ".XCompose", ".local/share/applications"): Access.Read,
}),
+ bwrap_flags("--setenv", "GSETTINGS_BACKEND", "keyfile"),
# Access to basic d-bus services (that are hopefully safe to expose...)
dbus_proxy_flags(
"--call=org.kde.StatusNotifierWatcher=@/StatusNotifierWatcher",
projects / bubblebox.git / commitdiff