tobias
/
bwrapexample
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

more readable readme.md

This commit is contained in:
Tobias 2019-02-18 01:54:28 +01:00
parent b04d2b3215
commit a91b08636e
2 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -1,6 +1,6 @@
# bwrapexample
This is a tiny example for how to use bubblewrap to isolate programs into namespaced everything (except network access)
This is a tiny example for how to use [bubblewrap](https://github.com/projectatomic/bubblewrap) to isolate programs into namespaced everything (except network access)
Keep in mind, this is NOT a 100% breakout-resistant thing. However it could be used to protect processes from reading files they are not supposed to see, and have them locked "good enough".
@ -10,24 +10,33 @@ Userdata will be persisted so you can run a separate browser instance as well. O
./sandbox.sh bash
## KNOWN PROBLEMS
## KNOWN PROBLEMS (Examples)
## vscodium
### vscodium
Some tools, like vscodium, use a launcher that dies when the program starts.
With the script dying if the first spawned child process dies this will lead
With the script dying if the first spawned child process dies this will lead
to these tools not running in this particular config.
You will need to remove:
--die-with-parent \
--as-pid-1 \
``` bash
--die-with-parent
--as-pid-1
```
from the Script to make it work, at the risk of tools not closing when the console/program closes.
## steam
### steam
Steam will die if you use the "Save Password" Option, because dbus fails.
I get this could be pretty annoying to use, so instead you can:
edit the steam.desktop file
replace "Exec" with "Exec=/path/to/sandbox.sh ./steam.sh"
Steam will die if you use the "Save Password" Option, because dbus fails.\
I get this could be pretty annoying to use, so instead you can:\
edit the steam.desktop file\
replace "Exec" with "Exec=/path/to/sandbox.sh ./steam.sh"\
And then create the file: $HOME/steam.sh/main/home/$YOUR_USERNAME_HERE/steam.sh
with the contents: steam -login $YOURUSERNAME $PASSWORD
with the contents:
``` bash
steam -login $YOURUSERNAME $PASSWORD
```
Beware, this will expose your credentials to all processes that can read your other system processes, but it does make steam login flawless and avoid the crash.

3
examples/librefox/Readme.md
View File

@ -10,6 +10,8 @@ Make sure to also replace the "USERNAMEHERE" folder in main/home.
And because of the nature of bwrap only overriding existing files add (or touch) all files mentioned in the addconf.sh.
Example:
``` bash
sudo -i
mkdir -p /usr/lib64/firefox/defaults/pref
mkdir -p /usr/lib64/firefox/defaults/distribution
@ -17,6 +19,7 @@ touch /usr/lib64/firefox/mozilla.cfg
touch /usr/lib64/firefox/defaults/pref/local-settings.js
touch /usr/lib64/firefox/defaults/distribution/policies.json
exit
```
## All fine but what does this do? Well