deviloric
/
bubblewrap-scripts
mirror of https://github.com/valoq/bwscripts.git
0
0
Fork 0
Code Releases Activity

added example scripts

This commit is contained in:
valoq 2017-02-22 21:16:05 +01:00
parent d4fbb43a39
commit 6102281302
No known key found for this signature in database
GPG Key ID: 19F09A0FB865CBD8
16 changed files with 639 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -1,2 +1,27 @@
# bwscripts
bwscripts
========
Bubblewrap example scripts
This repository contains some tools for working with bubblewrap as well as example profile scripts for several programs to show how bubblewrap can be used to sandbox applications.
Install
-------
To automatically use the sandboxed applications profiles, copy the scripts to /usr/local/bin and make them executeable. By default a seccomp bpf file is expected in that directory as well. Use the exportFilter program to generate the seccomp bpf file. You can create individual filters by specifying syscalls to be blacklisted or whitelisted using the defined makros.
Disclaimer
----------
This repository is not associated with the official bubblewrap project
Warning
-------
Using the provided scripts to sandbox linux desktop applications only provides limited protection as there are several weak points like the X-Window-Server and Dbus IPC that need to be isolated as well to prevent sandbox escape.

51
profiles/7z Normal file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share /usr/share \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
--symlink /usr/lib64 /lib64 \
--symlink /usr/lib /lib \
--symlink /usr/bin /bin \
--symlink /usr/bin /sbin \
--tmpfs /usr/lib/modules \
--tmpfs /usr/lib/systemd \
--tmpfs /usr/lib/gcc \
--proc /proc \
--dev /dev \
--bind ~/ ~/ \
--tmpfs ~/.gnupg \
--tmpfs ~/.ssh \
--tmpfs ~/.mutt \
--tmpfs ~/.mozilla \
--tmpfs ~/.thunderbird \
--tmpfs ~/.mail \
--tmpfs ~/.Mail \
--tmpfs ~/.claws-mail \
--tmpfs ~/.config \
--tmpfs ~/.cache \
--tmpfs ~/.local \
--tmpfs ~/.pki \
--tmpfs ~/.zuluCrypt \
--tmpfs ~/.zuluCrypt-socket \
--tmpfs ~/.xpra \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv XTERM_LOCALE \
--unsetenv TERM \
--unsetenv XTERM_VERSION \
--unsetenv XTERM_SHELL \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv MAIL \
--unsetenv XAUTHORITY \
--setenv SHELL /bin/false \
--setenv PATH /usr/bin \
--setenv USER nobody \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/7z "$@"
)

51
profiles/7za Normal file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share /usr/share \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
--symlink /usr/lib64 /lib64 \
--symlink /usr/lib /lib \
--symlink /usr/bin /bin \
--symlink /usr/bin /sbin \
--tmpfs /usr/lib/modules \
--tmpfs /usr/lib/systemd \
--tmpfs /usr/lib/gcc \
--proc /proc \
--dev /dev \
--bind ~/ ~/ \
--tmpfs ~/.gnupg \
--tmpfs ~/.ssh \
--tmpfs ~/.mutt \
--tmpfs ~/.mozilla \
--tmpfs ~/.thunderbird \
--tmpfs ~/.mail \
--tmpfs ~/.Mail \
--tmpfs ~/.claws-mail \
--tmpfs ~/.config \
--tmpfs ~/.cache \
--tmpfs ~/.local \
--tmpfs ~/.pki \
--tmpfs ~/.zuluCrypt \
--tmpfs ~/.zuluCrypt-socket \
--tmpfs ~/.xpra \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv XTERM_LOCALE \
--unsetenv TERM \
--unsetenv XTERM_VERSION \
--unsetenv XTERM_SHELL \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv MAIL \
--unsetenv XAUTHORITY \
--setenv SHELL /bin/false \
--setenv PATH /usr/bin \
--setenv USER nobody \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/7za "$@"
)

41
profiles/debian/7z Normal file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share /usr/share \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib32 /usr/lib32 \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--ro-bind /lib32 /lib32 \
--ro-bind /libx32 /libx32 \
--ro-bind /bin /bin \
--ro-bind /bin /sbin \
--proc /proc \
--dev /dev \
--bind ~/ ~/ \
--tmpfs ~/.gnupg \
--tmpfs ~/.ssh \
--tmpfs ~/.mutt \
--tmpfs ~/.mozilla \
--tmpfs ~/.thunderbird \
--tmpfs ~/.mail \
--tmpfs ~/.Mail \
--tmpfs ~/.claws-mail \
--tmpfs ~/.config \
--tmpfs ~/.cache \
--tmpfs ~/.local \
--tmpfs ~/.pki \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv XAUTHORITY \
--setenv SHELL /bin/false \
--setenv USER nobody \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/7z "$@"
)

41
profiles/debian/7za Normal file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share /usr/share \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib32 /usr/lib32 \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--ro-bind /lib32 /lib32 \
--ro-bind /libx32 /libx32 \
--ro-bind /bin /bin \
--ro-bind /bin /sbin \
--proc /proc \
--dev /dev \
--bind ~/ ~/ \
--tmpfs ~/.gnupg \
--tmpfs ~/.ssh \
--tmpfs ~/.mutt \
--tmpfs ~/.mozilla \
--tmpfs ~/.thunderbird \
--tmpfs ~/.mail \
--tmpfs ~/.Mail \
--tmpfs ~/.claws-mail \
--tmpfs ~/.config \
--tmpfs ~/.cache \
--tmpfs ~/.local \
--tmpfs ~/.pki \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv XAUTHORITY \
--setenv SHELL /bin/false \
--setenv USER nobody \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/7za "$@"
)

33
profiles/debian/bwjail Normal file
View File

@ -0,0 +1,33 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share/ /usr/share/ \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib32 /usr/lib32 \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--ro-bind /lib32 /lib32 \
--ro-bind /libx32 /libx32 \
--ro-bind /bin /bin \
--ro-bind /sbin /sbin \
--proc /proc \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind ~/.Xauthority /home/jail/.Xauthority \
--chdir /home/jail \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--setenv HOME /home/jail \
--setenv XAUTHORITY /home/jail/.Xauthority \
--setenv USER nobody \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
bash
)
## --ro-bind "${@: -1}" /home/jail/"$(basename ${@: -1})" \
## bash "$(basename ${@: -1})"

43
profiles/debian/evince Normal file
View File

@ -0,0 +1,43 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/evince /usr/bin/evince \
--ro-bind /usr/share/ /usr/share/ \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib32 /usr/lib32 \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--ro-bind /lib32 /lib32 \
--ro-bind /libx32 /libx32 \
--ro-bind /bin /bin \
--ro-bind /sbin /sbin \
--proc /proc \
--dev /dev \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind /etc/fonts /etc/fonts \
--bind ~/ ~/ \
--ro-bind ~/.Xauthority ~/.Xauthority \
--tmpfs ~/.gnupg \
--tmpfs ~/.ssh \
--tmpfs ~/.mutt \
--tmpfs ~/.mozilla \
--tmpfs ~/.thunderbird \
--tmpfs ~/.mail \
--tmpfs ~/.Mail \
--tmpfs ~/.claws-mail \
--tmpfs ~/.config \
--tmpfs ~/.cache \
--tmpfs ~/.local \
--tmpfs ~/.pki \
--bind ~/.cache/fontconfig ~/.cache/fontconfig \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--setenv SHELL /bin/false \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/evince "$@"
)

57
profiles/debian/firefox Normal file
View File

@ -0,0 +1,57 @@
#!/usr/bin/env bash
set -euo pipefail
echo -n $RANDOM | md5sum | tr -d '-' > /tmp/fakeid
(
exec bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share/ /usr/share/ \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib32 /usr/lib32 \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--ro-bind /lib32 /lib32 \
--ro-bind /libx32 /libx32 \
--ro-bind /bin /bin \
--ro-bind /sbin /sbin \
--proc /proc \
--dev-bind /dev /dev \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind /etc/passwd /etc/passwd \
--ro-bind /etc/group /etc/group \
--ro-bind /etc/hostname /etc/hostname \
--ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/localtime /etc/localtime \
--ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/xdg /etc/xdg \
--ro-bind /etc/gtk-2.0 /etc/gtk-2.0 \
--ro-bind /etc/gtk-3.0 /etc/gtk-3.0 \
--ro-bind /etc/X11 /etc/X11 \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind /etc/mime.types /etc/mime.types \
--ro-bind /etc/pulse /etc/pulse \
--ro-bind /tmp/fakeid /etc/machine-id \
--tmpfs /run \
--ro-bind ~/.Xauthority /home/jail/.Xauthority \
--bind ~/.mozilla /home/jail/.mozilla \
--bind ~/.cache/mozilla /home/jail/.cache/mozilla \
--bind ~/Downloads /home/jail/Downloads \
--chdir /home/jail \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--setenv SHELL /bin/false \
--setenv HOME /home/jail \
--setenv XAUTHORITY /home/jail/.Xauthority \
--setenv USER nobody \
--setenv LOGNAME nobody \
--unshare-all \
--share-net \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/firefox
)

44
profiles/debian/libreoffice Normal file
View File

@ -0,0 +1,44 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share/ /usr/share/ \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib32 /usr/lib32 \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--ro-bind /lib32 /lib32 \
--ro-bind /libx32 /libx32 \
--ro-bind /bin /bin \
--ro-bind /sbin /sbin \
--proc /proc \
--dev /dev \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind /etc /etc \
--ro-bind /sys /sys \
--bind /run/user/`id -u`/dconf /run/user/`id -u`/dconf \
--bind ~/ ~/ \
--tmpfs ~/.gnupg \
--tmpfs ~/.ssh \
--tmpfs ~/.mutt \
--tmpfs ~/.mozilla \
--tmpfs ~/.thunderbird \
--tmpfs ~/.mail \
--tmpfs ~/.Mail \
--tmpfs ~/.claws-mail \
--tmpfs ~/.config \
--tmpfs ~/.cache \
--tmpfs ~/.local \
--tmpfs ~/.pki \
--bind ~/.cache/fontconfig ~/.cache/fontconfig \
--ro-bind ~/.Xauthority ~/.Xauthority \
--bind ~/.config/libreoffice ~/.config/libreoffice \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv XDG_RUNTIME_DIR \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/libreoffice "$@"
)

29
profiles/debian/mupdf Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/mupdf /usr/bin/mupdf \
--ro-bind /usr/share /usr/share \
--ro-bind /usr/lib /usr/lib \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--ro-bind /bin /bin \
--proc /proc \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind ~/.Xauthority /home/jail/.Xauthority \
--ro-bind "${@: -1}" /home/jail/"$(basename ${@: -1})" \
--chdir /home/jail \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--setenv SHELL /bin/false \
--setenv HOME /home/jail \
--setenv XAUTHORITY /home/jail/.Xauthority \
--setenv USER nobody \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/mupdf "$(basename ${@: -1})" &>/dev/null
)

BIN
profiles/debian/seccomp_default_filter.bpf Normal file
View File

Binary file not shown.

52
profiles/evince Normal file
View File

@ -0,0 +1,52 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/evince /usr/bin/evince \
--ro-bind /usr/share /usr/share \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
--symlink /usr/lib64 /lib64 \
--tmpfs /usr/lib/modules \
--tmpfs /usr/lib/systemd \
--tmpfs /usr/lib/gcc \
--proc /proc \
--dev /dev \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind /etc/fonts /etc/fonts \
--bind /run/user/`id -u`/dconf /run/user/`id -u`/dconf \
--bind /run/user/`id -u`/bus /run/user/`id -u`/bus \
--bind ~/ ~/ \
--ro-bind ~/.Xauthority ~/.Xauthority \
--tmpfs ~/.gnupg \
--tmpfs ~/.ssh \
--tmpfs ~/.mutt \
--tmpfs ~/.mozilla \
--tmpfs ~/.thunderbird \
--tmpfs ~/.mail \
--tmpfs ~/.Mail \
--tmpfs ~/.claws-mail \
--tmpfs ~/.config \
--tmpfs ~/.cache \
--tmpfs ~/.local \
--tmpfs ~/.pki \
--tmpfs ~/.zuluCrypt \
--tmpfs ~/.zuluCrypt-socket \
--tmpfs ~/.xpra \
--bind ~/.cache/dconf ~/.cache/dconf \
--bind ~/.cache/fontconfig ~/.cache/fontconfig \
--bind ~/.config/evince ~/.config/evince \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv XTERM_LOCALE \
--unsetenv TERM \
--unsetenv XTERM_VERSION \
--unsetenv XTERM_SHELL \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv MAIL \
--setenv SHELL /bin/false \
--unshare-all \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/evince "$@"
)

71
profiles/firefox Normal file
View File

@ -0,0 +1,71 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/firefox /usr/bin/firefox \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share/ /usr/share/ \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
--symlink /usr/lib64 /lib64 \
--tmpfs /usr/lib/modules \
--tmpfs /usr/lib/systemd \
--tmpfs /usr/lib/gcc \
--proc /proc \
--dev-bind /dev /dev \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind /etc/passwd /etc/passwd \
--ro-bind /etc/group /etc/group \
--ro-bind /etc/hostname /etc/hostname \
--ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/localtime /etc/localtime \
--ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/xdg /etc/xdg \
--ro-bind /etc/gtk-2.0 /etc/gtk-2.0 \
--ro-bind /etc/gtk-3.0 /etc/gtk-3.0 \
--ro-bind /etc/X11 /etc/X11 \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind /etc/mime.types /etc/mime.types \
--ro-bind /etc/pulse /etc/pulse \
--tmpfs /run \
--ro-bind ~/.Xauthority /home/jail/.Xauthority \
--bind ~/.mozilla /home/jail/.mozilla \
--bind ~/.cache/mozilla /home/jail/.cache/mozilla \
--bind ~/Downloads /home/jail/Downloads \
--chdir /home/jail \
--unsetenv XTERM_LOCALE \
--unsetenv TERM \
--unsetenv XTERM_VERSION \
--unsetenv XTERM_SHELL \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv MAIL \
--setenv SHELL /bin/false \
--setenv HOME /home/jail \
--setenv XAUTHORITY /home/jail/.Xauthority \
--setenv USER nobody \
--setenv LOGNAME nobody \
--unshare-user \
--unshare-pid \
--unshare-uts \
--unshare-cgroup \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/firefox
)
# todo:
# --ro-bind /usr/share/locale /usr/share/locale \
# --ro-bind /usr/share/X11 /usr/share/X11 \
# --ro-bind /usr/share/gtk-3.0 /usr/share/gtk-3.0 \
# --ro-bind /usr/share/fonts /usr/share/fonts \
# --ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \
# --ro-bind /usr/share/icons /usr/share/icons \
# --ro-bind /usr/share/pixmaps /usr/share/pixmaps \
# --ro-bind /usr/share/mime /usr/share/mime \
# --ro-bind /usr/share/applications /usr/share/applications \
# --ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \
# --bind /var/cache/fontconfig

58
profiles/libreoffice Normal file
View File

@ -0,0 +1,58 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--ro-bind /usr/share /usr/share \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
--bind /tmp /tmp \
--symlink /usr/lib64 /lib64 \
--symlink /usr/bin /bin \
--tmpfs /usr/lib/modules \
--tmpfs /usr/lib/systemd \
--tmpfs /usr/lib/gcc \
--proc /proc \
--dev /dev \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind /etc /etc \
--ro-bind /sys /sys \
--bind /run/user/`id -u`/dconf /run/user/`id -u`/dconf \
--bind /run/user/`id -u`/bus /run/user/`id -u`/bus \
--bind ~/ ~/ \
--tmpfs ~/.gnupg \
--tmpfs ~/.ssh \
--tmpfs ~/.mutt \
--tmpfs ~/.mozilla \
--tmpfs ~/.thunderbird \
--tmpfs ~/.mail \
--tmpfs ~/.Mail \
--tmpfs ~/.claws-mail \
--tmpfs ~/.config \
--tmpfs ~/.cache \
--tmpfs ~/.local \
--tmpfs ~/.pki \
--tmpfs ~/.zuluCrypt \
--tmpfs ~/.zuluCrypt-socket \
--tmpfs ~/.xpra \
--bind ~/.cache/dconf ~/.cache/dconf \
--bind ~/.cache/fontconfig ~/.cache/fontconfig \
--ro-bind ~/.Xauthority ~/.Xauthority \
--bind ~/.config/libreoffice ~/.config/libreoffice \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv XTERM_LOCALE \
--unsetenv TERM \
--unsetenv XTERM_VERSION \
--unsetenv XTERM_SHELL \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv MAIL \
--unshare-user \
--unshare-pid \
--unshare-net \
--unshare-uts \
--unshare-cgroup \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/libreoffice "$@"
)

42
profiles/mupdf Normal file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env bash
set -euo pipefail
(
exec bwrap \
--ro-bind /usr/bin/mupdf /usr/bin/mupdf \
--ro-bind /usr/share /usr/share \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
--symlink /usr/lib64 /lib64 \
--tmpfs /usr/lib/modules \
--tmpfs /usr/lib/systemd \
--tmpfs /usr/lib/gcc \
--proc /proc \
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind ~/.Xauthority /home/jail/.Xauthority \
--ro-bind "${@: -1}" /home/jail/"$(basename ${@: -1})" \
--chdir /home/jail \
--unsetenv MOZ_PLUGIN_PATH \
--unsetenv XTERM_LOCALE \
--unsetenv TERM \
--unsetenv XTERM_VERSION \
--unsetenv XTERM_SHELL \
--unsetenv DBUS_SESSION_BUS_ADDRESS \
--unsetenv XDG_RUNTIME_DIR \
--unsetenv MAIL \
--setenv SHELL /bin/false \
--setenv PATH /usr/bin \
--setenv HOME /home/jail \
--setenv XAUTHORITY /home/jail/.Xauthority \
--setenv USER nobody \
--unshare-user \
--unshare-pid \
--unshare-net \
--unshare-uts \
--unshare-cgroup \
--unshare-ipc \
--new-session \
--seccomp 10 \
10< /usr/local/bin/seccomp_default_filter.bpf \
/usr/bin/mupdf "$(basename ${@: -1})" &>/dev/null
)

BIN
profiles/seccomp_default_filter.bpf Normal file
View File

Binary file not shown.