1 (edited by the_hype 2021-07-18 09:21:15)

Topic: bubblewrap profiles

In the lack of firejail i tested bubblewrap a bit. And it is very nice - with user priv. only. (The confstruction of the profiles is such a nice way to know, on what the programs depend on.)

Obviously, there is a lot of room for optimizing profiles - fitting exactly (f.e.) Hyperbola-OS.

Do you have bwrap-profiles you can share??? (mine are very basic at the time...)

thx

You may or may not believe the hype - PE#1

2 (edited by the_hype 2021-07-22 13:51:52)

Re: bubblewrap profiles

a nice set up to have the best of both worlds: security and usability

for example in this use case:
Especially the interactive shell is security-critical, but also a nice shell is fun smile

Use as a login shell mksh and for interactive usage fish-shell (or zsh) in a sandbox like this:

#!/bin/sh
(exec bwrap \
  --proc /proc \
  --dev /dev \
  --dev-bind /dev /dev \
  --ro-bind /usr /usr \
  --ro-bind /bin /bin \
  --ro-bind /etc /etc \
  --ro-bind /lib /lib \
  --ro-bind /var/lib/pacman /var/lib/pacman \
  --bind "$HOME" "$HOME" \
  --bind /tmp /tmp \
  --bind /media /media \
  --unshare-cgroup \
  --unshare-ipc \
  --unshare-uts \
  /usr/bin/fish "$@")

#  --unshare-pid \

this leads to a strictly restricted home-only interactive shell with no suid / use an external mksh for sudo/doas stuff

(remember: all client launched from that shell will have the same restrictions, which is intended)

obviously this can be improved

You may or may not believe the hype - PE#1

3

Re: bubblewrap profiles

Hey guys!

Another examples:

- https://notabug.org/heckyel/i3-config/src/master/bwrap

~ Jesús E.
Hyperbola, Security Team