Added Example, Dynamic userconf and clarified readme

README.md

@@ -6,12 +6,14 @@ Keep in mind, this is NOT a 100% breakout-resistant thing. However it could be u
 
 Userdata will be persisted so you can run a separate browser instance as well. Or create a startup script inside the new home folder of the sandbox and run it via sandbox.sh ./start.sh.
 
-# Usage:
+## Usage
+
 ./sandbox.sh bash
 
-# KNOWN PROBLEMS:
+## KNOWN PROBLEMS
 
 ## vscodium
+
 Some tools, like vscodium, use a launcher that dies when the program starts.
 With the script dying if the first spawned child process dies this will lead 
 to these tools not running in this particular config.
@@ -21,6 +23,11 @@ You will need to remove:
 from the Script to make it work, at the risk of tools not closing when the console/program closes.
 
 ## steam
-Steam will die on its second launch, due to crashing as it cant talk to dbus.
-For now this is work-around-able by starting steam via a start script instead the deletes .local/share/Steam/config in the sandbox before - but it will enforce you to reenter your password.
-I'll look into this more later.
+
+Steam will die if you use the "Save Password" Option, because dbus fails.
+I get this could be pretty annoying to use, so instead you can:
+edit the steam.desktop file
+replace "Exec" with "Exec=/path/to/sandbox.sh ./steam.sh"
+And then create the file: $HOME/steam.sh/main/home/$YOUR_USERNAME_HERE/steam.sh
+with the contents: steam -login $YOURUSERNAME $PASSWORD
+Beware, this will expose your credentials to all processes that can read your other system processes, but it does make steam login flawless and avoid the crash.

examples/librefox/Readme.md

@@ -0,0 +1,23 @@
+# Librefox Example
+
+This is a generic firefox under fedora example, but with user config for librefox overrides.
+Sadly bwrap enforces files that it overrides to already exist, but you can just add empty files to mozilla.cfg and co for example.
+
+## This example assumes the "sandbox" folder is under $YOURHOME/sandbox/firefox.sh/
+
+And you have to replace all placeholders in addconf.sh (even $HOME) with the full path.
+Make sure to also replace the "USERNAMEHERE" folder in main/home.
+And because of the nature of bwrap only overriding existing files add (or touch) all files mentioned in the addconf.sh.
+
+Example:
+sudo -i
+mkdir -p /usr/lib64/firefox/defaults/pref
+mkdir -p /usr/lib64/firefox/defaults/distribution
+touch /usr/lib64/firefox/mozilla.cfg
+touch /usr/lib64/firefox/defaults/pref/local-settings.js
+touch /usr/lib64/firefox/defaults/distribution/policies.json
+exit
+
+## All fine but what does this do? Well
+
+This will get you a sandboxed firefox, default-configured for privacy, that you can update by just moving the new policy files from [the Librefox Repo](https://github.com/intika/Librefox/tree/master/librefox) into addff

examples/librefox/sandbox/addconf.sh

@@ -0,0 +1,3 @@
+--ro-bind $HOME/sandbox/firefox.sh/addff/mozilla.cfg /usr/lib64/firefox/mozilla.cfg
+--ro-bind $HOME/sandbox/firefox.sh/addff/defaults/pref/local-settings.js /usr/lib64/firefox/defaults/pref/local-settings.js
+--ro-bind $HOME/sandbox/firefox.sh/addff/distribution/policies.json /usr/lib64/firefox/defaults/distribution/policies.json 

examples/librefox/sandbox/addff/defaults/pref/local-settings.js

@@ -0,0 +1,21 @@
+//
+
+// ============================================================================================================================================
+// Librefox Version : 2.1
+// ==============================
+//
+// Metrics available on mozilla.cfg
+//
+// ============================================================================================================================================
+
+// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+// Section : General Settings
+// Bench Diff : ++/5000
+// >>>>>>>>>>>>>>>>>>>>
+
+// Librefox MoD
+pref("general.config.filename", "mozilla.cfg");
+
+// Default Firefox
+// ROT13 Settings primitive encryption routing that
+pref("general.config.obscure_value", 0);

examples/librefox/sandbox/addff/distribution/policies.json

@@ -0,0 +1,16 @@
+{
+  "policies": {
+    "AppUpdateURL": "",
+    "DisableAppUpdate": true,
+    "OverridePostUpdatePage": "",
+    "DisableMasterPasswordCreation": true,
+    "DisableFeedbackCommands": true,
+    "DisableFirefoxAccounts": true,
+    "DisableFirefoxStudies": true,
+    "DisablePocket": true,
+    "DisableProfileImport": true,
+    "DisableSetDesktopBackground": true,
+    "DisableSystemAddonUpdate": true,
+    "DisableTelemetry": true
+  }
+}

examples/librefox/sandbox/main/home/USERNAMEHERE/firefox.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+firefox

sandbox.sh

@@ -9,66 +9,73 @@ NATIVEUSERID=`id -u`
 #GROUPID=123456
 #NEW_HOME=/home/123456
 
-env=()
+# This is actually a nicety for users so they can add custom configs in sandbox/$1/addconf.sh
+if [ -e $HOME/sandbox/$1/addconf.sh ]
+then
+    ADDITIONALLINES=`cat $HOME/sandbox/$1/addconf.sh`
+else
+    ADDITIONALLINES=""
+fi
 
+env=()
+# With this we add every known environment variable to be unset, to minimize data leaks
+# This is not secured against the keys being malicious.
 for line in `compgen -v`; do
-  # With this we add every known environment variable to be unset, to minimize data leaks
-  # This is not secured against the keys being malicious.
   env+=("--unsetenv $line") 
 done 
 
 pci=()
-
+# This is needed to give access for pci devices, so gpu acceleration (should mostly) work
 for line in `ls /sys/devices/ | grep pci`; do
-  # This is needed to give access for pci devices, so gpu acceleration (should mostly) work
   pci+=("--dev-bind /sys/devices/$line /sys/devices/$line") 
 done 
 
 # Same here, the calling tool needs to ensure $HOME and the passed arguments are not malicious.
-
+# This creates the sandbox target directories
 mkdir -p $HOME/sandbox/$1/main/$NEW_HOME
 mkdir -p $HOME/sandbox/$1/tmp
 
-bwrap \
---bind $HOME/sandbox/$1/main/ / \
---bind $HOME/sandbox/$1/tmp/ /tmp \
---ro-bind /bin /bin \
---ro-bind /etc /etc \
---ro-bind /usr /usr \
---ro-bind /usr/sbin /sbin \
---ro-bind /usr/lib64 /lib64 \
---ro-bind /usr/lib /lib \
---proc /proc \
---dev /dev \
---dev-bind /dev/dri /dev/dri \
---tmpfs /var \
---tmpfs /run --dir /run/user/$USERID \
---bind $HOME/sandbox/$1/main/$NEW_HOME $NEW_HOME \
---dev-bind /sys/dev/char /sys/dev/char \
---dev-bind /run/user/$NATIVEUSERID/pulse /run/user/$USERID/pulse \
-${pci[@]} \
---unshare-all \
---unshare-user \
---share-net \
---new-session \
---hostname sb \
---uid $USERID \
---gid $GROUPID \
---die-with-parent \
---as-pid-1 \
---cap-drop ALL \
---chdir $NEW_HOME \
-${env[@]} \
---unsetenv 'BASH_FUNC_module%%' \
+bwrap `#The base bwrap` \
+--bind $HOME/sandbox/$1/main/ / `#this re-binds the virtual / in the users home to the bubblewrapped /` \
+--bind $HOME/sandbox/$1/tmp/ /tmp `#Allow writing to a virtual /tmp as well` \
+--ro-bind /bin /bin `#allow access to systems binaries` \
+--ro-bind /etc /etc `#allow access to shared config etc` \
+--ro-bind /usr /usr `#lots of .so files and executables here as well` \
+--ro-bind /usr/sbin /sbin `#These are just compat rebinds` \
+--ro-bind /usr/lib64 /lib64 `#compat` \
+--ro-bind /usr/lib /lib `#compat` \
+--proc /proc `#adds a virtual proc dir` \
+--dev /dev `#adds a virtual dev dir` \
+--dev-bind /dev/dri /dev/dri `#we have to bind this so tools can access accelerated rendering` \
+--tmpfs /var `#allow writing from and to var, but a new empty one` \
+--tmpfs /run --dir /run/user/$USERID `#same for run, but make sure the virtual user run dir exists` \
+--bind $HOME/sandbox/$1/main/$NEW_HOME $NEW_HOME `#binding the user home to our wanted directory` \
+--dev-bind /sys/dev/char /sys/dev/char `#more bindings for gpu accel access` \
+--dev-bind /run/user/$NATIVEUSERID/pulse /run/user/$USERID/pulse `#allows applications to have sound` \
+${pci[@]} `#this will add all gpus in the system as dev-bind, so we can access them (gpu accel)` \
+--unshare-all `#even if in the future more can be unshared, auto-do it` \
+--unshare-user `#dont just try to unshare the user, enforce doing so!` \
+--share-net `#bwrap override: allow network access` \
+--new-session `#separates the called shell so the tool running cant inject into the calling cli` \
+--hostname sb `#sets the virtual hostname` \
+--uid $USERID `#force this virtual user id` \
+--gid $GROUPID `#force this virtual group id` \
+--die-with-parent `#if the first calling process dies - kill all children` \
+--as-pid-1 `#the virtual process will get pid1 and think its the init process, to hide PIDs` \
+--cap-drop ALL `#drops capabilities even if you run this as root (you likely shouldnt)` \
+--chdir $NEW_HOME `#change working dir in the virtual env to this` \
+${env[@]} `#get rid of all env vars, as they can expose host information` \
+--unsetenv 'BASH_FUNC_module%%' `#bash internal function unset x3` \
 --unsetenv 'BASH_FUNC__module_raw%%' \
 --unsetenv 'BASH_FUNC_switchml%%' \
---setenv HOME "$NEW_HOME" \
---setenv PWD "$NEW_HOME" \
---setenv LC_ALL "en_US.UTF-8" \
---setenv DISPLAY ":0" \
---setenv XDG_RUNTIME_DIR "/tmp" \
---setenv TERM "xterm-256color" \
---setenv COLORTERM "truecolor" \
---setenv DEFAULT_USER $USERID \
---setenv PATH "/usr/local/bin:/usr/share/Modules/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin" \
-$1
+--setenv HOME "$NEW_HOME" `#tricks some applications to accept the virtual home` \
+--setenv PWD "$NEW_HOME" `#same` \
+--setenv LC_ALL "en_US.UTF-8" `#set common lang - likely should get this from main os but no bug reports for it so far. :P` \
+--setenv DISPLAY ":0" `#let there be display` \
+--setenv XDG_RUNTIME_DIR "/tmp" `#put desktop app temp files here if they rely on xdg` \
+--setenv TERM "xterm-256color" `#enforce full color terms` \
+--setenv COLORTERM "truecolor" `#not setting this can crash some term emulators` \
+--setenv DEFAULT_USER $USERID `#more user trickery` \
+--setenv PATH "/usr/local/bin:/usr/share/Modules/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin" `#make tools aware of our modified preferred paths` \
+$ADDITIONALLINES `#add user config` \
+$1 `#run the actual tool`