1.4 KiB
bwrapexample
This is a tiny example for how to use bubblewrap to isolate programs into namespaced everything (except network access)
Keep in mind, this is NOT a 100% breakout-resistant thing. However it could be used to protect processes from reading files they are not supposed to see, and have them locked "good enough".
Userdata will be persisted so you can run a separate browser instance as well. Or create a startup script inside the new home folder of the sandbox and run it via sandbox.sh ./start.sh.
Usage
./sandbox.sh bash
KNOWN PROBLEMS
vscodium
Some tools, like vscodium, use a launcher that dies when the program starts.
With the script dying if the first spawned child process dies this will lead
to these tools not running in this particular config.
You will need to remove:
--die-with-parent
--as-pid-1
from the Script to make it work, at the risk of tools not closing when the console/program closes.
steam
Steam will die if you use the "Save Password" Option, because dbus fails. I get this could be pretty annoying to use, so instead you can: edit the steam.desktop file replace "Exec" with "Exec=/path/to/sandbox.sh ./steam.sh" And then create the file: $HOME/steam.sh/main/home/$YOUR_USERNAME_HERE/steam.sh with the contents: steam -login $YOURUSERNAME $PASSWORD Beware, this will expose your credentials to all processes that can read your other system processes, but it does make steam login flawless and avoid the crash.