From: Ralf Jung Date: Mon, 15 Apr 2024 13:46:29 +0000 (+0200) Subject: link to possible solutions that avoid --new-session X-Git-Url: https://git.ralfj.de/bubblebox.git/commitdiff_plain/3a59fb5ed4a5ad3bc9bdadae9616c62f7de38fff?ds=sidebyside link to possible solutions that avoid --new-session --- diff --git a/profiles.py b/profiles.py index 70e8b81..69445f4 100644 --- a/profiles.py +++ b/profiles.py @@ -9,6 +9,11 @@ DEFAULT = group( # However, some applications will not like this unless the hostname also exists in `/etc/hosts`! bwrap_flags("--unshare-uts", "--hostname", "bubblebox"), # Make sure the sandbox cannot inject commands into the host terminal. + # TODO: This flag breaks some CLI applications, like job control in shells. + # Consider using SECCOMP instead. + # Possible code to use for that: + # There is also a good list of possible-syscalls-to-block at + # . bwrap_flags("--new-session"), # basic directories bwrap_flags("--proc", "/proc", "--dev", "/dev", "--dir", "/tmp", "--dir", "/var", "--dir", "/run", "--symlink", "../run", "/var/run"),