How to properly use bubblwrap?
How to properly use bubblwrap?
I want to sandbox things like Steam, Discord and even firefox and I see bubblwrap getting recommended a lot as the preferred sandboxing tool but I'm hardpressed on how to actually use it. I don't know what to enable and what not to.
PS. Please don't recommend Flatpak, I'm aware Flatpak uses bwrap but I want to avoid Flatpak unless absolute necessary. I don't have anything against Flatpak, just personal preference :D.
You're viewing a single thread.
Here's how I run Firefox, for instance:
#!/bin/zsh function r { for p in $@; do [[ -e $p ]] && echo --ro-bind-try $p $p; done; } function w { for p in $@; do [[ -e $p ]] && echo --bind-try $p $p; done; } function ln { echo --symlink $1 $2; } function wdev { for p in $@; do echo --dev-bind-try $p $p; done; } bwopt=( --unshare-pid --unshare-uts --unshare-ipc --unshare-cgroup --proc /proc --dev /dev --tmpfs /dev/shm --mqueue /dev/mqueue $(wdev /dev/dri /dev/v4l /dev/video*) $(r /sys/{dev,devices,bus/pci}) --dir /var/tmp --dir /run/lock $(ln ../run /var/run) $(ln ../run/lock /var/lock) $(w /tmp/.{X11-unix,ICE-unix}) $(r /usr/lib) $(ln usr/lib /lib64) $(ln lib /usr/lib64) $(r /usr/share) $(r /var/{cache/fontconfig,lib/dbus/machine-id}) $(r /etc/{passwd,group,nsswitch.conf,resolv.conf,hosts,gai.conf,ld.so*}) $(r /etc/{localtime,lsb-release,machine-id}) $(r /etc/{ca-certificates,ssl}) $(r /etc/{dconf,fonts,gtk-*,host.conf,xdg,mime.types,pulse}) $(r ${XAUTHORITY} ${DBUS_SESSION_BUS_ADDRESS/unix:path=}) $(w ${XDG_RUNTIME_DIR}/{ICEauthority,dconf,pulse,gvfsd,wayland-*,p11-kit,flatpak-info}) $(w ~/.{mozilla,cache/mozilla}) $(r ~/.cache/{fontconfig,mesa_shader_cache}) $(r ~/.config/{dconf,fontconfig,user-dirs.dirs,gtk-*,mimeapps.list,pulse}) $(r ~/.{fonts,local/share/{themes,icons}}) $(w ~/down /tmp/swap) ) exec nice \ systemd-run --quiet --user --scope --slice=firefox.slice \ bwrap --args 9 9< <(printf $'%s\0' $bwopt) \ -- /usr/lib/firefox/firefox $@Using this for about 5 years. Ran
straceon a session to see what to allow access to. It's got full access to/liband too much access to/sysb/c I'm lazy, but it can not see any executables or most of~.I'm using something similar whenever I want to precisely isolate a program.
Thank you for this. But if I may ask can you tell me what some of these options do? I can understand what some of these do just by looking, like giving directory access.
Will this work on my system where I use a combo of Wayland + Pipewire?
Thank you for this. But if I may ask can you tell me what some of these options do? I can understand what some of these do just by looking, like giving directory access.
Check
bwrap(1)for details, it's all there.Will this work on my system where I use a combo of Wayland + Pipewire?
Yes, and yes.
How do I use this btw? I pasted this on an executable and it says
Permission Denied.It's a shell script, right? Save the text as a
<FILE>,chmod +x <FILE>,./<FILE>.You might not have
zsh, in which case you need to replace shebang (#!/bin/zsh) with bash and fix what breaks (IIRC you can't quite do a printf like that in bash).It works by constructing an array of argument strings β which you can see with
echo $bwoptβ and printing it, concatenated using\0as a separator. It's printed to a file descriptor, open as fd 9 in the child process. Alternatively, you can just givebwrapthose arguments directly (bwrap $bwopt).