Go to file
tobias c2f605367d Fix x, wayland and pulse passthrough, use OS user id and display and use env -i 2021-02-05 16:47:23 +01:00
examples/librefox more readable readme.md 2019-02-18 01:54:28 +01:00
LICENSE Initial commit 2018-12-31 00:09:19 +01:00
README.md clarified readme 2019-02-18 02:01:44 +01:00
sandbox.sh Fix x, wayland and pulse passthrough, use OS user id and display and use env -i 2021-02-05 16:47:23 +01:00

README.md

bwrapexample

This is a tiny example for how to use bubblewrap to isolate programs into namespaced everything (except network access)

Keep in mind, this is NOT a 100% breakout-resistant thing. However it could be used to protect processes from reading files they are not supposed to see, and have them locked "good enough".

Userdata will be persisted so you can run a separate browser instance as well. Or create a startup script inside the new home folder of the sandbox and run it via sandbox.sh ./start.sh.

Usage

Calling just a tool:

./sandbox.sh bash

Running an entire script in the sandbox, giving you way more code options:

./sandbox.sh ./firefox.sh

(This would call ~/sandbox.sh/main/home/USERNAMEHERE/firefox.sh)

KNOWN PROBLEMS (Examples)

vscodium

Some tools, like vscodium, use a launcher that dies when the program starts. With the script dying if the first spawned child process dies this will lead to these tools not running in this particular config. You will need to remove:

--die-with-parent
--as-pid-1

from the Script to make it work, at the risk of tools not closing when the console/program closes.

Or you could override these in a user-given addconf.sh file, see examples in the example/librefox folder

steam

Steam will die if you use the "Save Password" Option, because dbus fails.

I get this could be pretty annoying to use, so instead you can:

edit the steam.desktop file

replace "Exec" with "Exec=/path/to/sandbox.sh ./steam.sh"

And then create the file: $HOME/steam.sh/main/home/$YOUR_USERNAME_HERE/steam.sh with the contents:

steam -login $YOURUSERNAME $PASSWORD

or

steam -login '$YOURUSERNAME' '$PASSWORD'

(Make sure the args get escaped well if you have complex username/pw combos)

Beware, this will expose your credentials to all processes that can read your other system processes, but it does make steam login flawless and avoids the crash.