From dedc0b1457e8991555d8031c1da687cbdaed83ae Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 7 May 2024 16:44:46 +0200 Subject: [PATCH 1/3] provide some non-default settings to GTK3 apps --- profiles.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/profiles.py b/profiles.py index 3d395c5..57dc010 100644 --- a/profiles.py +++ b/profiles.py @@ -56,10 +56,13 @@ def DESKTOP(name): }, }), X11(), - # Access to some key user configuration + # Access to some key user configuration. + # We set GSETTINGS_BACKEND to make GTK3 apps use the config file in ~/.config/glib-2.0. + # (The "right" solution here is probably the settings portal...) home_access({ - (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read, + (".config/fontconfig", ".config/glib-2.0", ".XCompose", ".local/share/applications"): Access.Read, }), + bwrap_flags("--setenv", "GSETTINGS_BACKEND", "keyfile"), # Access to basic d-bus services (that are hopefully safe to expose...) dbus_proxy_flags( "--call=org.kde.StatusNotifierWatcher=@/StatusNotifierWatcher", -- 2.30.2 From 7dceb9e93e9f9e202711b0f53ede17b9acd0d79a Mon Sep 17 00:00:00 2001 From: Jochen Bauer Date: Fri, 9 Aug 2024 09:09:41 +0200 Subject: [PATCH 2/3] Fix typo in readme file --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cee1e66..32aa2ec 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ This is the documentation of [BubbleBox](https://www.ralfj.de/projects/bubblebox tool to easily sandbox Linux applications. The primary use-case for BubbleBox is running applications that you do not trust enough -to give them full access to hour home directory, and in particular the secret keys stored there. +to give them full access to your home directory, and in particular the secret keys stored there. BubbleBox is based on [bubblewrap] and [xdg-dbus-proxy] which do all of the heavy lifting. The goals of this project are similar to [firejail], but I found firejail's configuration to be extremely hard to maintain and debug. -- 2.30.2 From 97374dba716ee7954d9e267a312d2d3f50386fec Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Fri, 9 Aug 2024 11:22:55 +0200 Subject: [PATCH 3/3] don't change hostname, it doesn't work well for GUI apps under Gnome --- profiles.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/profiles.py b/profiles.py index 57dc010..d2d7841 100644 --- a/profiles.py +++ b/profiles.py @@ -7,7 +7,8 @@ DEFAULT = group( bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"), # A different hostname is useful to be able to see when we are inside the sandbox. # However, some applications will not like this unless the hostname also exists in `/etc/hosts`! - bwrap_flags("--unshare-uts", "--hostname", "bubblebox"), + # Also, gnome-shell doesn't display window icons properly when this is set. + #bwrap_flags("--unshare-uts", "--hostname", "bubblebox"), # Make sure the sandbox cannot inject commands into the host terminal. # TODO: This flag breaks some CLI applications, like job control in shells. # Consider using SECCOMP instead. -- 2.30.2