From 43307ef533738f9b108a6daa91541692f396a725 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 14 Apr 2024 16:53:11 +0200 Subject: [PATCH] add bubblebox and blog about it --- personal/_config.yml | 1 + personal/_posts/2024-04-14-bubblebox.md | 68 +++++++++++++++++++++++++ personal/projects/index.md | 13 ++--- 3 files changed, 76 insertions(+), 6 deletions(-) create mode 100644 personal/_posts/2024-04-14-bubblebox.md diff --git a/personal/_config.yml b/personal/_config.yml index f2c5c2a..959b104 100644 --- a/personal/_config.yml +++ b/personal/_config.yml @@ -12,6 +12,7 @@ readmes: src_base: "/home/r/src" out_base: "projects" projects: + - name: "bubblebox" - name: "dyn-nsupdate" - name: "git-mirror" - name: "lilass" diff --git a/personal/_posts/2024-04-14-bubblebox.md b/personal/_posts/2024-04-14-bubblebox.md new file mode 100644 index 0000000..85dc684 --- /dev/null +++ b/personal/_posts/2024-04-14-bubblebox.md @@ -0,0 +1,68 @@ +--- +title: "Sandboxing All The Things with Flatpak and BubbleBox" +categories: sysadmin +--- + +A few years ago, I have [blogged]({% post_url 2019-03-09-firejail %}) about my approach to sandboxing less-trusted applications that I have to or want to run on my main machine. +The approach has changed since then, so it is time for an update. + + + +Over time I grew increasingly frustrated with Firejail: configurations would frequently break on updates, +and debugging Firejail profiles is extremely hard. When considering all the included files, we are talking +about many hundred lines of configuration with a subtle interplay of allowlists and blocklists. +Even when I knew which folder I wanted to give access to, it was often non-trivial to ensure that +this access would actually be possible. + +Now I am instead using a combination of two different approaches: Flatpak and BubbleBox. + +## Flatpak + +The easiest sandbox to maintain is the sandbox maintained by someone else. +So when a Flatpak exists for software I want to or have to use, such as Signal or Zoom, that is generally my preferred approach. + +Unfortunately, Flatpaks can come with extremely liberal default profiles that make the sandbox mostly pointless. +The following global overrides help ensure that this does not happen: +``` +[Context] +sockets=!gpg-agent;!pcsc;!ssh-auth;!system-bus;!session-bus +filesystems=~/.XCompose:ro;xdg-config/fontconfig:ro;!~/.gnupg;!~/.ssh;!xdg-documents;!home;!host + +[Session Bus Policy] +org.freedesktop.Flatpak=none +org.freedesktop.secrets=none +``` + +## BubbleBox + +However, not all software exists as Flatpak. +Also, sometimes I want software to run basically on my host system (i.e., to use the regular `/usr`), just without access to literally *everything* in my home directory. +Examples of this are Factorio and VSCodium. +The latter doesn't work in Flatpak as I want to use it with LaTeX, and realistically this means it needs to run the LaTeX on my host. +The official recommendation is to effectively disable the Flatpak sandbox, but that entirely defeats the point, so I went looking for alternatives. + +[bubblewrap] provides a very convenient solution: it can start an application in its own private filesystem namespace with full control over which part of the host file system is accessible from inside the sandbox. +I wrote a small wrapper around bubblewrap to make this configuration a bit more convenient to write and manage; +this project is called [BubbleBox]. +This week-end I finally got around to adding support for [xdg-dbus-proxy] so that sandboxed applications can now access particular D-Bus functions without having access to the entire bus (which is in general not safe to expose to a sandboxed application). +That means it's finally time to blog about this project, so here we go -- if you are interested, check out [BubbleBox]; +the project page explains how you can use it to set up your own sandboxing. +One day I should probably rewrite this in Rust... + +I should also note that this is not the only bubblewrap-based sandboxing solution. +[bubblejail] is fairly similar but provides a configuration GUI and a good set of default provides; +it was a very useful resource when figuring out the right bubblewrap flags to make complex GUI applications work properly. +(Incidentally, "bubblejail" is also how I called my own script originally, but then I realized that the name is already taken.) +Joachim Breitner also recently [blogged](https://www.joachim-breitner.de/blog/812-Convenient_sandboxed_development_environment) about his own bubblewrap-based sandboxing script. +There are many ways to do this, and it was fun to figure out my own solution. + +Using bubblewrap and xdg-dbus-proxy for this was an absolute joy. +Both of these components came out of the Flatpak project, but the authors realized that they could be independently useful, +so in best Unix tradition they turned them into tools that provide all the required mechanism without hard-coding any sort of policy. +Despite doing highly non-trivial tasks, they are both pretty easy to use and compose and very well-documented. +Thanks a lot to everyone involved! + +[bubblewrap]: https://github.com/containers/bubblewrap +[BubbleBox]: {{ site.baseurl }}/projects/bubblebox +[xdg-dbus-proxy]: https://github.com/flatpak/xdg-dbus-proxy +[bubblejail]: https://github.com/igo95862/bubblejail diff --git a/personal/projects/index.md b/personal/projects/index.md index 988c471..f872845 100644 --- a/personal/projects/index.md +++ b/personal/projects/index.md @@ -7,17 +7,18 @@ To solve some issue I was having, or to facilitate my daily computer usage. The tools were usually not written with general re-usability in mind. But maybe you are having just the same problem as I did, in which case I hope they can be helpful. -* [dyn-nsupdate](dyn-nsupdate/): A tool to dynamically and securely update DNS zones via CGI. +* [BubbleBox](bubblebox): A simple script to sandbox Linux applications. +* [dyn-nsupdate](dyn-nsupdate): A tool to dynamically and securely update DNS zones via CGI. This provides self-hosted DynDNS services. -* [git-mirror](git-mirror/): This can keep multiple git repositories of the same project in sync automatically. -* [LiLaSS](lilass/): A simple xrandr-based application to configure laptop screens on Linux. If you are using a +* [git-mirror](git-mirror): This can keep multiple git repositories of the same project in sync automatically. +* [LiLaSS](lilass): A simple xrandr-based application to configure laptop screens on Linux. If you are using a Laptop, frequently work both with and without an external screen, and you are not happy with the configuration options your desktop provides, this may be for you. -* [Rust-101](rust-101/): A small tutorial for the [Rust language](https://www.rust-lang.org). -* [schsh](schsh/): A collection of scripts and configuration files which can be used to grant +* [Rust-101](rust-101): A small tutorial for the [Rust language](https://www.rust-lang.org). +* [schsh](schsh): A collection of scripts and configuration files which can be used to grant someone secure (SSH-based) access to a machine, without giving them a shell or read access to the entire file system. -* [zonemaker](zonemaker/): A small script to generate DNS zone files from Python. +* [zonemaker](zonemaker): A small script to generate DNS zone files from Python. For some more of my projects, check out the [public git repositories](https://www.ralfj.de/git/) hosted on my server and my [GitHub profile](https://github.com/RalfJung/). -- 2.30.2