improve usability and documentation
This commit is contained in:
valoq
parent
9b621af9c9
commit
c313ad534c
13
README.md
13
README.md
|
|
@ -11,6 +11,7 @@ Install
|
|||
|
||||
To automatically use the sandboxed applications profiles, copy the scripts to /usr/local/bin and make them executable. By default a seccomp bpf file is expected in that directory as well. Use the exportFilter program to generate the seccomp bpf file. You can create individual filters by specifying syscalls to be blacklisted or whitelisted using the defined macros.
|
||||
|
||||
The sandboxing scripts expect the host system to run a wayland compositor as well as pipewire when audio is required.
|
||||
|
||||
|
||||
Disclaimer
|
||||
|
|
@ -19,15 +20,17 @@ Disclaimer
|
|||
This repository is not associated with the official bubblewrap project
|
||||
|
||||
|
||||
|
||||
|
||||
Warning
|
||||
-------
|
||||
|
||||
Using the provided scripts to sandbox linux desktop applications only provides limited protection as there are several weak points like the X-Window-Server and Dbus IPC that need to be isolated as well to prevent sandbox escape. See Sandbox Status for details on the example scripts
|
||||
|
||||
|
||||
Sandbox Status
|
||||
--------------
|
||||
If not otherwise documented in the profile script, the sandbox environment should be effective in that is will reduce the impact of successful compromise without allowing trivial sandbox escape.
|
||||
|
||||
todo
|
||||
|
||||
Todo
|
||||
----
|
||||
|
||||
- support xdg-portal APIs
|
||||
- find a way to mount pipewire socket dynamically
|
||||
|
|
|
|||
|
|
@ -19,3 +19,7 @@ set -euo pipefail
|
|||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/atool "$@"
|
||||
)
|
||||
|
||||
# Status: Incomplete
|
||||
# This script mounts the current working directory to extract and write new files
|
||||
# Depending in the execution path, this may be dangerous and can lead to sandbox escape
|
||||
|
|
|
|||
|
|
@ -10,14 +10,13 @@ set -euo pipefail
|
|||
--proc /proc \
|
||||
--dev /dev \
|
||||
--ro-bind /etc/fonts /etc/fonts \
|
||||
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \
|
||||
--ro-bind ~/.cache/fontconfig ~/.cache/fontconfig \
|
||||
--ro-bind ~/.config/evince ~/.config/evince \
|
||||
--ro-bind "${@: -1}" ~/"$(basename "${@: -1}")" \
|
||||
--chdir ~/ \
|
||||
--ro-bind /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" \
|
||||
--ro-bind-try ~/.cache/fontconfig ~/.cache/fontconfig \
|
||||
--ro-bind-try ~/.config/evince ~/.config/evince \
|
||||
--ro-bind-try "${@: -1}" "${@: -1}" \
|
||||
--unshare-all \
|
||||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/evince "$(basename "${@: -1}")"
|
||||
/usr/bin/evince "$@"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ fi
|
|||
--symlink /usr/bin /sbin \
|
||||
--proc /proc \
|
||||
--dev /dev \
|
||||
--dev-bind /dev/snd /dev/snd \
|
||||
--dev-bind-try /dev/hidraw0 /dev/hidraw0 \
|
||||
--dev-bind-try /dev/hidraw1 /dev/hidraw1 \
|
||||
--dev-bind-try /dev/hidraw2 /dev/hidraw2 \
|
||||
|
|
@ -51,7 +50,7 @@ fi
|
|||
--ro-bind-try /etc/pulse /etc/pulse \
|
||||
--ro-bind-try /etc/pipewire /etc/pipewire \
|
||||
--tmpfs /run \
|
||||
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \
|
||||
--ro-bind /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" \
|
||||
--ro-bind-try /run/user/"$(id -u)"/pipewire-0 /run/user/"$(id -u)"/pipewire-0 \
|
||||
--bind-try ~/Downloads ~/Downloads \
|
||||
--bind-try ~/.mozilla ~/.mozilla \
|
||||
|
|
@ -70,14 +69,8 @@ fi
|
|||
/usr/lib/firefox/firefox
|
||||
)
|
||||
|
||||
# note: This profile requires an execution environement with available wayland and pipewire services.
|
||||
|
||||
|
||||
|
||||
# -ro-bind /etc/alsa /etc/alsa \
|
||||
|
||||
# todo:
|
||||
|
||||
# --ro-bind /usr/share/locale /usr/share/locale \
|
||||
# --ro-bind /usr/share/X11 /usr/share/X11 \
|
||||
# --ro-bind /usr/share/gtk-3.0 /usr/share/gtk-3.0 \
|
||||
|
|
|
|||
|
|
@ -2,15 +2,16 @@
|
|||
set -euo pipefail
|
||||
(
|
||||
exec bwrap \
|
||||
--ro-bind /usr/bin/ /usr/bin/ \
|
||||
--ro-bind /usr/bin /usr/bin \
|
||||
--ro-bind /usr/share /usr/share \
|
||||
--ro-bind /usr/lib /usr/lib \
|
||||
--ro-bind /usr/lib64 /usr/lib64 \
|
||||
--symlink /usr/lib64 /lib64 \
|
||||
--proc /proc \
|
||||
--dev /dev \
|
||||
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \
|
||||
--ro-bind "${@: -1}" ~/"$(basename "${@: -1}")" \
|
||||
--ro-bind /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" \
|
||||
--ro-bind-try ~/.config/imv/ ~/.config/imv/ \
|
||||
--ro-bind-try "${@: -1}" "${@: -1}" \
|
||||
--unshare-user \
|
||||
--unshare-pid \
|
||||
--unshare-net \
|
||||
|
|
@ -19,5 +20,5 @@ set -euo pipefail
|
|||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/imv-wayland "$(basename "${@: -1}")"
|
||||
/usr/bin/imv-wayland "$@"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -12,13 +12,15 @@ set -euo pipefail
|
|||
--tmpfs /tmp \
|
||||
--ro-bind /etc /etc \
|
||||
--ro-bind /run/systemd/userdb /run/systemd/userdb \
|
||||
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \
|
||||
--bind ~/.cache/fontconfig ~/.cache/fontconfig \
|
||||
--bind ~/.config/libreoffice ~/.config/libreoffice \
|
||||
--bind "$PWD" "$PWD" \
|
||||
--ro-bind /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" \
|
||||
--bind-try ~/.cache/fontconfig ~/.cache/fontconfig \
|
||||
--bind-try ~/.config/libreoffice ~/.config/libreoffice \
|
||||
--ro-bind-try "${@: -1}" "${@: -1}" \
|
||||
--unshare-all \
|
||||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/libreoffice "$@"
|
||||
)
|
||||
|
||||
|
||||
|
|
|
|||
14
profiles/vlc
14
profiles/vlc
|
|
@ -9,13 +9,11 @@ set -euo pipefail
|
|||
--symlink /usr/lib64 /lib64 \
|
||||
--symlink /usr/bin /bin \
|
||||
--proc /proc \
|
||||
--dev-bind /dev /dev \
|
||||
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \
|
||||
--ro-bind /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" \
|
||||
--ro-bind-try /run/user/"$(id -u)"/pipewire-0 /run/user/"$(id -u)"/pipewire-0 \
|
||||
--ro-bind /etc /etc \
|
||||
--ro-bind ~/.config/vlc ~/.config/vlc \
|
||||
--ro-bind "${@: -1}" ~/"$(basename "${@: -1}")" \
|
||||
--chdir ~/ \
|
||||
--ro-bind-try ~/.config/vlc ~/.config/vlc \
|
||||
--ro-bind-try "${@: -1}" "${@: -1}" \
|
||||
--unsetenv DBUS_SESSION_BUS_ADDRESS \
|
||||
--unshare-user-try \
|
||||
--unshare-pid \
|
||||
|
|
@ -25,7 +23,11 @@ set -euo pipefail
|
|||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/vlc "$(basename "${@: -1}")"
|
||||
/usr/bin/vlc "$@"
|
||||
)
|
||||
|
||||
## todo:
|
||||
# - find a way to mount pipewire socket dynamically
|
||||
|
||||
## requires qt5-wayland to run on wayland
|
||||
## wayland support in vlc is currently still under development
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
(
|
||||
exec bwrap \
|
||||
--ro-bind /usr/bin /usr/bin/ \
|
||||
--ro-bind /usr/share /usr/share \
|
||||
--ro-bind /usr/lib /usr/lib \
|
||||
--ro-bind /usr/lib64 /usr/lib64 \
|
||||
--symlink /usr/lib64 /lib64 \
|
||||
--symlink /usr/lib /lib \
|
||||
--symlink /usr/bin /bin \
|
||||
--symlink /usr/bin /sbin \
|
||||
--tmpfs /usr/lib/modules \
|
||||
--tmpfs /usr/lib/systemd \
|
||||
--proc /proc \
|
||||
--dev /dev \
|
||||
--bind ~/ ~/ \
|
||||
--tmpfs ~/.gnupg \
|
||||
--tmpfs ~/.ssh \
|
||||
--tmpfs ~/.mutt \
|
||||
--tmpfs ~/.mozilla \
|
||||
--tmpfs ~/.thunderbird \
|
||||
--tmpfs ~/.mail \
|
||||
--tmpfs ~/.Mail \
|
||||
--tmpfs ~/.claws-mail \
|
||||
--tmpfs ~/.config \
|
||||
--tmpfs ~/.cache \
|
||||
--tmpfs ~/.local \
|
||||
--tmpfs ~/.pki \
|
||||
--unshare-all \
|
||||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/7z "$@"
|
||||
)
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
(
|
||||
exec bwrap \
|
||||
--ro-bind /usr/bin /usr/bin/ \
|
||||
--ro-bind /usr/share /usr/share \
|
||||
--ro-bind /usr/lib /usr/lib \
|
||||
--ro-bind /usr/lib64 /usr/lib64 \
|
||||
--symlink /usr/lib64 /lib64 \
|
||||
--symlink /usr/lib /lib \
|
||||
--symlink /usr/bin /bin \
|
||||
--symlink /usr/bin /sbin \
|
||||
--tmpfs /usr/lib/modules \
|
||||
--tmpfs /usr/lib/systemd \
|
||||
--proc /proc \
|
||||
--dev /dev \
|
||||
--bind ~/ ~/ \
|
||||
--tmpfs ~/.gnupg \
|
||||
--tmpfs ~/.ssh \
|
||||
--tmpfs ~/.mutt \
|
||||
--tmpfs ~/.mozilla \
|
||||
--tmpfs ~/.thunderbird \
|
||||
--tmpfs ~/.mail \
|
||||
--tmpfs ~/.Mail \
|
||||
--tmpfs ~/.claws-mail \
|
||||
--tmpfs ~/.config \
|
||||
--tmpfs ~/.cache \
|
||||
--tmpfs ~/.local \
|
||||
--tmpfs ~/.pki \
|
||||
--unshare-all \
|
||||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/7za "$@"
|
||||
)
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
(
|
||||
exec bwrap \
|
||||
--ro-bind /usr/bin/ /usr/bin/ \
|
||||
--ro-bind /usr/share /usr/share \
|
||||
--ro-bind /usr/lib /usr/lib \
|
||||
--ro-bind /usr/lib64 /usr/lib64 \
|
||||
--symlink /usr/lib64 /lib64 \
|
||||
--proc /proc \
|
||||
--dev /dev \
|
||||
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \
|
||||
--ro-bind "${@: -1}" ~/"$(basename "${@: -1}")" \
|
||||
--unshare-user \
|
||||
--unshare-pid \
|
||||
--unshare-net \
|
||||
--unshare-uts \
|
||||
--unshare-cgroup \
|
||||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/imv-wayland "$@"
|
||||
)
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
(
|
||||
exec bwrap \
|
||||
--ro-bind /usr/bin/ssh /usr/bin/ssh \
|
||||
--ro-bind /usr/share /usr/share \
|
||||
--ro-bind /usr/lib /usr/lib \
|
||||
--ro-bind /usr/lib64 /usr/lib64 \
|
||||
--symlink /usr/lib64 /lib64 \
|
||||
--tmpfs /usr/lib/modules \
|
||||
--tmpfs /usr/lib/systemd \
|
||||
--tmpfs /usr/lib/gcc \
|
||||
--proc /proc \
|
||||
--dev-bind /dev /dev \
|
||||
--ro-bind ~/.ssh/ ~/.ssh/ \
|
||||
--ro-bind /etc /etc \
|
||||
--chdir ~/ \
|
||||
--unsetenv MOZ_PLUGIN_PATH \
|
||||
--unsetenv DBUS_SESSION_BUS_ADDRESS \
|
||||
--unsetenv MAIL \
|
||||
--unsetenv DISPLAY \
|
||||
--setenv PATH /usr/bin \
|
||||
--unshare-pid \
|
||||
--unshare-uts \
|
||||
--unshare-cgroup \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/ssh "$@"
|
||||
)
|
||||
|
|
@ -1,75 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
(
|
||||
exec bwrap \
|
||||
--ro-bind /usr/bin /usr/bin/ \
|
||||
--ro-bind /usr/share /usr/share/ \
|
||||
--ro-bind /usr/lib /usr/lib \
|
||||
--ro-bind /usr/lib64 /usr/lib64 \
|
||||
--symlink /usr/lib64 /lib64 \
|
||||
--symlink /usr/lib /lib \
|
||||
--symlink /usr/bin /bin \
|
||||
--symlink /usr/bin /sbin \
|
||||
--tmpfs /usr/lib/modules \
|
||||
--tmpfs /usr/lib/systemd \
|
||||
--tmpfs /usr/lib/gcc \
|
||||
--proc /proc \
|
||||
--dev /dev \
|
||||
--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
|
||||
--ro-bind /etc/passwd /etc/passwd \
|
||||
--ro-bind /etc/group /etc/group \
|
||||
--ro-bind /etc/hostname /etc/hostname \
|
||||
--ro-bind /etc/hosts /etc/hosts \
|
||||
--ro-bind /etc/localtime /etc/localtime \
|
||||
--ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \
|
||||
--ro-bind /etc/resolv.conf /etc/resolv.conf \
|
||||
--ro-bind /etc/xdg /etc/xdg \
|
||||
--ro-bind /etc/gtk-2.0 /etc/gtk-2.0 \
|
||||
--ro-bind /etc/gtk-3.0 /etc/gtk-3.0 \
|
||||
--ro-bind /etc/X11 /etc/X11 \
|
||||
--ro-bind /etc/fonts /etc/fonts \
|
||||
--ro-bind /etc/mime.types /etc/mime.types \
|
||||
--ro-bind /etc/pulse /etc/pulse \
|
||||
--tmpfs /run \
|
||||
--ro-bind ~/.Xauthority /home/jail/.Xauthority \
|
||||
--bind ~/.mozilla /home/jail/.mozilla \
|
||||
--bind ~/.cache/mozilla /home/jail/.cache/mozilla \
|
||||
--bind ~/.cache/thunderbird /home/jail/.cache/thunderbird \
|
||||
--bind ~/.thunderbird /home/jail/.thunderbird \
|
||||
--bind ~/Downloads /home/jail/Downloads \
|
||||
--chdir /home/jail \
|
||||
--unsetenv XTERM_LOCALE \
|
||||
--unsetenv TERM \
|
||||
--unsetenv XTERM_VERSION \
|
||||
--unsetenv XTERM_SHELL \
|
||||
--unsetenv DBUS_SESSION_BUS_ADDRESS \
|
||||
--unsetenv XDG_RUNTIME_DIR \
|
||||
--unsetenv MAIL \
|
||||
--setenv SHELL /bin/false \
|
||||
--setenv HOME /home/jail \
|
||||
--setenv XAUTHORITY /home/jail/.Xauthority \
|
||||
--setenv USER nobody \
|
||||
--setenv LOGNAME nobody \
|
||||
--unshare-user-try \
|
||||
--unshare-pid \
|
||||
--unshare-uts \
|
||||
--unshare-cgroup \
|
||||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/thunderbird
|
||||
)
|
||||
|
||||
# todo:
|
||||
|
||||
# --ro-bind /usr/share/locale /usr/share/locale \
|
||||
# --ro-bind /usr/share/X11 /usr/share/X11 \
|
||||
# --ro-bind /usr/share/gtk-3.0 /usr/share/gtk-3.0 \
|
||||
# --ro-bind /usr/share/fonts /usr/share/fonts \
|
||||
# --ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \
|
||||
# --ro-bind /usr/share/icons /usr/share/icons \
|
||||
# --ro-bind /usr/share/pixmaps /usr/share/pixmaps \
|
||||
# --ro-bind /usr/share/mime /usr/share/mime \
|
||||
# --ro-bind /usr/share/applications /usr/share/applications \
|
||||
# --ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \
|
||||
# --bind /var/cache/fontconfig
|
||||
|
|
@ -8,16 +8,20 @@ set -euo pipefail
|
|||
--ro-bind /usr/lib64 /usr/lib64 \
|
||||
--symlink /usr/lib64 /lib64 \
|
||||
--proc /proc \
|
||||
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \
|
||||
--ro-bind /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" /run/user/"$(id -u)"/"$WAYLAND_DISPLAY" \
|
||||
--ro-bind /etc/fonts /etc/fonts \
|
||||
--ro-bind ~/.config/zathura ~/.config/zathura \
|
||||
--ro-bind ~/.cache/fontconfig ~/.cache/fontconfig \
|
||||
--ro-bind "${@: -1}" ~/"$(basename "${@: -1}")" \
|
||||
--chdir ~/ \
|
||||
--ro-bind-try ~/.config/zathura ~/.config/zathura \
|
||||
--ro-bind-try ~/.cache/fontconfig ~/.cache/fontconfig \
|
||||
--ro-bind-try "${@: -1}" "${@: -1}" \
|
||||
--unsetenv DBUS_SESSION_BUS_ADDRESS \
|
||||
--unshare-all \
|
||||
--new-session \
|
||||
--seccomp 10 \
|
||||
10< /usr/local/bin/seccomp_default_filter.bpf \
|
||||
/usr/bin/zathura --config-dir=~/.config/zathura/ "$(basename "${@: -1}")"
|
||||
/usr/bin/zathura --config-dir=~/.config/zathura/ "$@"
|
||||
)
|
||||
|
||||
|
||||
## zathura also supports a native sandbox via seccomp filter
|
||||
## To use the internal sandbox in addition, add this to ~/.config/zathura/zathurarc :
|
||||
## set sandbox strict
|
||||
|
|
|
|||
Loading…
Reference in New Issue