more readable readme.md
This commit is contained in:
parent
b04d2b3215
commit
a91b08636e
33
README.md
33
README.md
|
@ -1,6 +1,6 @@
|
|||
# bwrapexample
|
||||
|
||||
This is a tiny example for how to use bubblewrap to isolate programs into namespaced everything (except network access)
|
||||
This is a tiny example for how to use [bubblewrap](https://github.com/projectatomic/bubblewrap) to isolate programs into namespaced everything (except network access)
|
||||
|
||||
Keep in mind, this is NOT a 100% breakout-resistant thing. However it could be used to protect processes from reading files they are not supposed to see, and have them locked "good enough".
|
||||
|
||||
|
@ -10,24 +10,33 @@ Userdata will be persisted so you can run a separate browser instance as well. O
|
|||
|
||||
./sandbox.sh bash
|
||||
|
||||
## KNOWN PROBLEMS
|
||||
## KNOWN PROBLEMS (Examples)
|
||||
|
||||
## vscodium
|
||||
### vscodium
|
||||
|
||||
Some tools, like vscodium, use a launcher that dies when the program starts.
|
||||
With the script dying if the first spawned child process dies this will lead
|
||||
With the script dying if the first spawned child process dies this will lead
|
||||
to these tools not running in this particular config.
|
||||
You will need to remove:
|
||||
--die-with-parent \
|
||||
--as-pid-1 \
|
||||
|
||||
``` bash
|
||||
--die-with-parent
|
||||
--as-pid-1
|
||||
```
|
||||
|
||||
from the Script to make it work, at the risk of tools not closing when the console/program closes.
|
||||
|
||||
## steam
|
||||
### steam
|
||||
|
||||
Steam will die if you use the "Save Password" Option, because dbus fails.
|
||||
I get this could be pretty annoying to use, so instead you can:
|
||||
edit the steam.desktop file
|
||||
replace "Exec" with "Exec=/path/to/sandbox.sh ./steam.sh"
|
||||
Steam will die if you use the "Save Password" Option, because dbus fails.\
|
||||
I get this could be pretty annoying to use, so instead you can:\
|
||||
edit the steam.desktop file\
|
||||
replace "Exec" with "Exec=/path/to/sandbox.sh ./steam.sh"\
|
||||
And then create the file: $HOME/steam.sh/main/home/$YOUR_USERNAME_HERE/steam.sh
|
||||
with the contents: steam -login $YOURUSERNAME $PASSWORD
|
||||
with the contents:
|
||||
|
||||
``` bash
|
||||
steam -login $YOURUSERNAME $PASSWORD
|
||||
```
|
||||
|
||||
Beware, this will expose your credentials to all processes that can read your other system processes, but it does make steam login flawless and avoid the crash.
|
|
@ -10,6 +10,8 @@ Make sure to also replace the "USERNAMEHERE" folder in main/home.
|
|||
And because of the nature of bwrap only overriding existing files add (or touch) all files mentioned in the addconf.sh.
|
||||
|
||||
Example:
|
||||
|
||||
``` bash
|
||||
sudo -i
|
||||
mkdir -p /usr/lib64/firefox/defaults/pref
|
||||
mkdir -p /usr/lib64/firefox/defaults/distribution
|
||||
|
@ -17,6 +19,7 @@ touch /usr/lib64/firefox/mozilla.cfg
|
|||
touch /usr/lib64/firefox/defaults/pref/local-settings.js
|
||||
touch /usr/lib64/firefox/defaults/distribution/policies.json
|
||||
exit
|
||||
```
|
||||
|
||||
## All fine but what does this do? Well
|
||||
|
||||
|
|
Loading…
Reference in New Issue