deviloric
/
bubblewrap-scripts
mirror of https://github.com/valoq/bwscripts.git
0
0
Fork 0
Code Releases Activity

further improvements

This commit is contained in:
valoq 2018-08-07 19:42:21 +02:00
parent 18c462f18a
commit 47fd95c4a4
No known key found for this signature in database
GPG Key ID: 19F09A0FB865CBD8
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
profiles/firefox
View File

@ -2,8 +2,8 @@
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/firefox /usr/bin/firefox \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/bin/apulse /usr/bin/apulse \
--ro-bind /usr/bin/sh /usr/bin/sh \
--ro-bind /usr/share/ /usr/share/ \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
@ -57,9 +57,11 @@ set -euo pipefail
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/firefox
apulse /usr/lib/firefox/firefox
)
# further hardining is possible by removing apulse, sh and /dev/snd (removing sound support)
# todo:
# --ro-bind /usr/share/locale /usr/share/locale \

6
profiles/firefox-wayland
View File

@ -2,8 +2,8 @@
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/firefox /usr/bin/firefox \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/bin/apulse /usr/bin/apulse \
--ro-bind /usr/bin/sh /usr/bin/sh \
--ro-bind /usr/share/ /usr/share/ \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
@ -48,7 +48,7 @@ set -euo pipefail
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
apulse /usr/bin/firefox
apulse /usr/lib/firefox/firefox
)
# note: running firefox on wayland like this should make a complete sandbox