https://wiki.archlinux.org/api.php?action=feedcontributions&user=Kynikos&namespace=0&feedformat=atomArchWiki - User contributions [en]2024-03-29T11:35:50ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Dell_XPS_13_2-in-1_(9315)&diff=799784Dell XPS 13 2-in-1 (9315)2024-02-05T17:25:47Z<p>Kynikos: fix some grammar and spelling here and there</p>
<hr />
<div>[[Category:Dell]]<br />
{| class="wikitable" style="float: right;"<br />
|-<br />
! Hardware !! PCI/USB ID !! Working?<br />
|-<br />
| Touchpad || {{ic|0488:1035}} || {{Yes}}<br />
|-<br />
| Keyboard || {{ic|0488:1035}} || {{Yes}}<br />
|-<br />
| GPU || {{ic|8086:46aa}} || {{Yes}}<br />
|-<br />
| Webcam || || {{No}}<br />
|-<br />
| Bluetooth || {{ic|8087:0033}} || {{Yes}}<br />
|-<br />
| Audio || {{ic|8086:51cc}} || {{Yes}}<br />
|-<br />
| Wireless || {{ic|8086:51f0}} || {{Yes}}<br />
|-<br />
| Thunderbolt 4 |||| {{Yes}}<br />
|-<br />
| Fingerprint reader || {{ic|27c6:6382}} || {{No}}<br />
|-<br />
| TPM || || {{Y|Untested}}<br />
|-<br />
| Accelerometer Sensor || ||{{Yes}}<br />
|-<br />
| Stylus PEN |||| {{Yes}}<br />
|}<br />
<br />
== Installation ==<br />
<br />
RAID mode is enabled by default. AHCI mode '''must''' be used, otherwise the disks will be invisible [https://bbs.archlinux.org/viewtopic.php?id=242282]. Using RAID mode will trigger a relevant log message in the [[journal]].<br />
<br />
== Accessibility ==<br />
<br />
To enter the BIOS setup press {{ic|Volume down}} on the keyboard, otherwise for the boot menu press the {{ic|End}} key.<br />
<br />
For more information it is advisable to visit [[#See also|the service manual]].<br />
<br />
== Audio ==<br />
<br />
[[ALSA firmware]] is required to make audio work.<br />
<br />
== Accelerometer and ambient-light sensor ==<br />
<br />
{{pkg|iio-sensor-proxy}} is required to work.<br />
<br />
== Stylus pen (PN9315A) ==<br />
<br />
Works out of the box for writing under [[Wayland]], after configuring the {{ic|bluetooth}} service. See [[Bluetooth]], [[libinput]] and {{pkg|libwacom}}.<br />
<br />
{{Note|The button on top of the pen works via Bluetooth. The other buttons do not work via Bluetooth.}}<br />
<br />
This button will be seen by the system as an additional key, so by customizing the keyboard shortcuts it will be possible to associate a function to it via the {{pkg|ydotool}} package.<br />
<br />
[[Xorg]] needs [[Bluetooth]], {{pkg|xf86-input-libinput}}, {{pkg|xf86-input-wacom}} and {{pkg|xdotool}} to associate and execute the shortcut to activate a window by pressing the pen's top button.<br />
<br />
== Function / Media keys ==<br />
<br />
Function keys have two options in the BIOS. By default the {{ic|Fn}} lock is enabled, so pressing {{ic|Fn}} triggers the {{ic|F1}}, {{ic|F2}} etc. keys; by changing the configuration in the BIOS you can have the media keys as primary instead.<br />
<br />
Otherwise by pressing {{ic|Fn+Esc}} you can lock or unlock the {{ic|Fn}} key.<br />
<br />
=== Table of function keys ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! Key<br />
! Visible?<sup>1</sup><br />
! Marked?<sup>2</sup><br />
! Effect<br />
|-<br />
| {{ic|Fn+Esc}} || {{Yes}} || {{Yes}} || Enables/Disable Fn lock<br />
|-<br />
| {{ic|Fn+F1}} || {{Yes}} || {{Yes}} || Mute volume<br />
|-<br />
| {{ic|Fn+F2}} || {{Yes}} || {{Yes}} || Lower volume<br />
|-<br />
| {{ic|Fn+F3}} || {{Yes}} || {{Yes}} || Raise volume<br />
|-<br />
| {{ic|Fn+F4}} || {{Yes}} || {{Yes}} || Mute microphone<br />
|-<br />
| {{ic|Fn+F5}} || {{Yes}} || {{Yes}} || Play or Pause<br />
|-<br />
| {{ic|Fn+F6}} || {{Yes}} || {{Yes}} || Increase or decrease retro bright keyboard<br />
|-<br />
| {{ic|Fn+F7}} || {{Yes}} || {{Yes}} || Lower screen brightness <br />
|-<br />
| {{ic|Fn+F8}} || {{Yes}} || {{Yes}} || Raise screen brightness<br />
|-<br />
| {{ic|Fn+F9}} || {{Yes}} || {{Yes}} ||<br />
|-<br />
| {{ic|Fn+F10}} || {{Yes}} || {{Yes}} || Screenshot<br />
|-<br />
| {{ic|Fn+F11}} || {{Yes}} || {{Yes}} || Home<br />
|-<br />
| {{ic|Fn+F12}} || {{Yes}} || {{Yes}} || End<br />
|}<br />
<br />
== See also ==<br />
<br />
* Official service manual: https://dl.dell.com/content/manual5075979-xps-13-9315-2-in-1-service-manual.pdf?language=en-us</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Dell_XPS_13_2-in-1_(9315)&diff=799783Dell XPS 13 2-in-1 (9315)2024-02-05T17:24:50Z<p>Kynikos: (author asked for feedback) remove redundant interlanguage link; fix white space</p>
<hr />
<div>[[Category:Dell]]<br />
{| class="wikitable" style="float: right;"<br />
|-<br />
! Hardware !! PCI/USB ID !! Working?<br />
|-<br />
| Touchpad || {{ic|0488:1035}} || {{Yes}}<br />
|-<br />
| Keyboard || {{ic|0488:1035}} || {{Yes}}<br />
|-<br />
| GPU || {{ic|8086:46aa}} || {{Yes}}<br />
|-<br />
| Webcam || || {{No}}<br />
|-<br />
| Bluetooth || {{ic|8087:0033}} || {{Yes}}<br />
|-<br />
| Audio || {{ic|8086:51cc}} || {{Yes}}<br />
|-<br />
| Wireless || {{ic|8086:51f0}} || {{Yes}}<br />
|-<br />
| Thunderbolt 4 |||| {{Yes}}<br />
|-<br />
| Fingerprint reader || {{ic|27c6:6382}} || {{No}}<br />
|-<br />
| TPM || || {{Y|Untested}}<br />
|-<br />
| Accelerometer Sensor || ||{{Yes}}<br />
|-<br />
| Stylus PEN |||| {{Yes}}<br />
|}<br />
<br />
== Installation ==<br />
<br />
RAID mode is enabled by default. AHCI mode '''must''' be used, otherwise the disks will be invisible[https://bbs.archlinux.org/viewtopic.php?id=242282]. Using RAID mode will trigger a relevant log message in the [[journal]].<br />
<br />
== Accessibility ==<br />
<br />
For entering in bios press {{ic|Down volume}} on keyboard, otherwise for BootMenu press {{ic|end}} key.<br />
For more information and function, it is advisable to visit [[#See also|the service manual]].<br />
<br />
== Audio ==<br />
<br />
[[ALSA firmware]] is required to make the audio work.<br />
<br />
== Accelerometer/Ambient Light Sensor ==<br />
<br />
{{pkg|iio-sensor-proxy}} is required for work.<br />
<br />
== Stylus PEN (PN9315A) ==<br />
<br />
Works out of the box for writing under [[Wayland]], after configuring bluetooth service, See [[Bluetooth]], [[libinput]] and {{pkg|libwacom}}.<br />
<br />
{{Note|The button on top of the pen work via bluetooth.<br />
The other buttons doesn't work via bluetooth.}}<br />
<br />
This button will be seen by the system as an additional key, so by customizing the keyboard shortcuts it will be possible to associate a function to it via {{pkg|ydotool}}.<br />
<br />
For [[Xorg]] it is need [[Bluetooth]], {{pkg|xf86-input-libinput}}, {{pkg|xf86-input-wacom}} and {{pkg|xdotool}} for associate and execute shortcut by pressing top button of the pen, to active window.<br />
<br />
== Function Keys ==<br />
<br />
Function keys have two options in the bios.<br />
By default the {{ic|Fn}} lock are enable.<br />
Together with pressing the {{ic|Fn}} key you have the {{ic|F1}},{{ic|F2}}, etc, but by changing the configuration in the bios you can have the function keys as primary.<br />
<br />
Otherwise by pressing {{ic|Fn+Esc}}, you can lock or unlock, the button {{ic|Fn}}<br />
<br />
=== Table of Function keys ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! Key<br />
! Visible?<sup>1</sup><br />
! Marked?<sup>2</sup><br />
! Effect<br />
|-<br />
| {{ic|Fn+Esc}} || {{Yes}} || {{Yes}} || Enables/Disable Fn lock<br />
|-<br />
| {{ic|Fn+F1}} || {{Yes}} || {{Yes}} || Mute Volume<br />
|-<br />
| {{ic|Fn+F2}} || {{Yes}} || {{Yes}} || Lower Volume<br />
|-<br />
| {{ic|Fn+F3}} || {{Yes}} || {{Yes}} ||Raise Volume<br />
|-<br />
| {{ic|Fn+F4}} || {{Yes}} || {{Yes}} || Mute Microphone<br />
|-<br />
| {{ic|Fn+F5}} || {{Yes}} || {{Yes}} || Play or Pause<br />
|-<br />
| {{ic|Fn+F6}} || {{Yes}} || {{Yes}} || Increase or decrease retro bright keyboard<br />
|-<br />
| {{ic|Fn+F7}} || {{Yes}} || {{Yes}} || Lower Screen Brightness <br />
|-<br />
| {{ic|Fn+F8}} || {{Yes}} || {{Yes}} || Raise Screen Brightness<br />
|-<br />
| {{ic|Fn+F9}} || {{Yes}} || {{Yes}} ||<br />
|-<br />
| {{ic|Fn+F10}} || {{Yes}} || {{Yes}} || Screenshot<br />
|-<br />
| {{ic|Fn+F11}} || {{Yes}} || {{Yes}} || home<br />
|-<br />
| {{ic|Fn+F12}} || {{Yes}} || {{Yes}} || end<br />
|}<br />
<br />
== See also ==<br />
<br />
* Official service manual: https://dl.dell.com/content/manual5075979-xps-13-9315-2-in-1-service-manual.pdf?language=en-us</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Offline_installation&diff=781395Offline installation2023-06-18T07:56:36Z<p>Kynikos: /* See also */ spelling</p>
<hr />
<div>[[Category:Live Arch systems]]<br />
[[Category:Installation process]]<br />
[[cs:Offline installation]]<br />
[[ja:オフラインインストール]]<br />
[[ru:Offline installation]]<br />
[[zh-hans:Offline installation]]<br />
This article provides instructions on installing Arch Linux on a system without an Internet connection. To do this, another system with a working Internet connection is required.<br />
<br />
First, follow the [[Installation guide]], skipping the [[Installation guide#Connect to the internet]] section, until the [[Installation guide#Install essential packages]] step.<br />
<br />
{{Warning|Extracting the root file system image ({{ic|airootfs.sfs}}) from the ISO or copying the live environment's root file system is not a supported installation method.}}<br />
<br />
== Prepare local repository ==<br />
<br />
Follow [[Pacman/Tips and tricks#Installing packages from a CD/DVD or USB stick]] for instructions on preparing a local repository with the necessary files on a separate host installation.<br />
<br />
At the very least, for a functioning system, the following packages are recommended:<br />
<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel linux linux-firmware mkinitcpio vim<br />
<br />
Create your custom offline repository<br />
<br />
# repo-add ./custom.db.tar.gz ./*[^sig]<br />
<br />
== Mount and configure ==<br />
<br />
{{Expansion|Add optional instructions on placing the custom repo in the ISO.}}<br />
<br />
Once the repository is prepared, connect the external media to the new installation, and mount it on the newly created root filesystem:<br />
<br />
# mount --mkdir /dev/sd''xy'' /mnt/repo<br />
<br />
Edit your archiso {{ic|/etc/pacman.conf}} and add a new section:<br />
<br />
{{hc|/etc/pacman.conf|2=<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///mnt/repo/<br />
}}<br />
<br />
Comment out {{ic|[core]}} and {{ic|[extra]}} so that pacman does not fail on the default repositories.<br />
<br />
== Pacstrap ==<br />
<br />
You can now continue to pacstrap your locally-available packages to the new installation:<br />
<br />
# pacstrap -K /mnt base base-devel linux linux-firmware mkinitcpio vim<br />
<br />
== Offline installation of packages ==<br />
<br />
=== Install from file ===<br />
<br />
In case the offline installation process was only temporary, but requires manual installation of some packages before being able to access a network, see [[pacman#Additional commands]] to learn how to install local packages. <br />
<br />
[[Shell]] [[Wikipedia:Glob_(programming)|globbing]] can be used to install many packages at once: <br />
<br />
# pacman -U /package/folder/*.tar.zst<br />
<br />
=== Offline cache ===<br />
<br />
You can put the required files into {{ic|/var/lib/pacman/sync}} and {{ic|/var/cache/pacman/pkg}}, so as to make {{ic|pacman}} think it has everything it needs to do searches, updates, and installs. The following method is based on two forum threads: [https://bbs.archlinux.org/viewtopic.php?pid=463238#p463238][https://bbs.archlinux.org/viewtopic.php?id=30431].<br />
<br />
The steps are:<br />
<br />
# downloading the up to date package databases on a computer with internet access, <br />
# transferring them to the offline computer, <br />
# generating the list of packages required from the offline computer to update it, <br />
# downloading them with their signature on a computer with internet access, <br />
# transferring them to the pacman cache of the offline computer, <br />
# installing the updates.<br />
<br />
{{Tip|If you changed your default repositories from the defaults (core, extra and multilib), you should review your {{ic|/etc/pacman.conf}} file.}}<br />
<br />
The following script will download the updated package databases. If needed, change {{ic|MIRROR}} to any mirror from the [https://archlinux.org/mirrors/status/ mirror status list].<br />
<br />
{{hc|download_databases.sh|2=<br />
#!/bin/sh<br />
<br />
ARCH="x86_64"<br />
MIRROR="https://mirrors.kernel.org/archlinux/"<br />
<br />
wget "${MIRROR}/core/os/${ARCH}/core.db"<br />
wget "${MIRROR}/extra/os/${ARCH}/extra.db"<br />
wget "${MIRROR}/multilib/os/${ARCH}/multilib.db"<br />
<br />
# and possibly -uncomment- (if customized in /etc/pacman.conf or pacman.conf.d):<br />
<br />
#wget "${MIRROR}/core-testing/os/${ARCH}/core-testing.db"<br />
#wget "${MIRROR}/extra-testing/os/${ARCH}/extra-testing.db"<br />
#wget "${MIRROR}/multilib-testing/os/${ARCH}/multilib-testing.db"<br />
<br />
# and -additionaly- debug and staging packages.<br />
}}<br />
<br />
Make the script [[executable]] and run it. You will obtain multiple ''.db'' files. <br />
<br />
The following steps will be transferring the ''.db'' files to the offline PC, making it so you are working with up-to-date package lists (as if you ran {{ic|pacman -Sy}}), then generating a list of package required for the update: <br />
<br />
# cp *.db /var/lib/pacman/sync/<br />
# pacman -Sup --noconfirm > pkglist<br />
<br />
{{Note|Make sure that you have enabled at least one of the servers defined in the {{ic|/etc/pacman.d/mirrorlist}} file. Otherwise, all what you get is a misleading error message: {{ic|error: no database for package: package-name}}.}}<br />
<br />
You will also need to download the corresponding package signatures, so prepare the list of signatures to download:<br />
<br />
# sed -e 's/\.zst$/.zst.sig/' ../pkglist > ../siglist<br />
<br />
Next, bring the two lists with you to a place where you have internet and download the listed packages in an empty directory:<br />
<br />
# wget -nv -i ../pkglist<br />
# wget -nv -i ../siglist<br />
<br />
{{Tip|When using [https://www.cygwin.com cygwin] or some other kind of Windows environment to download the packages, the filenames will get mangled since default Windows file naming requires to escape e.g. colons. To avoid this (under cygwin, since it does not follow such restrictions), use {{ic|1=wget --restrict-file-names=unix}}.}}<br />
<br />
Take all the {{ic|*.pkg.tar.zst}} and {{ic|*.pkg.tar.zst.sig}} files back home, put them in {{ic|/var/cache/pacman/pkg}} and finally run<br />
<br />
# pacman -Su<br />
<br />
=== Local repository ===<br />
<br />
In case the new system is expected to remain offline or airgapped, it should be configured to expect only local repositories. <br />
<br />
==== Complete repository ====<br />
<br />
After chrooting into your new installation, edit the new {{ic|/etc/pacman.conf}} in the same way as previously (but without the {{ic|/mnt}} prefix):<br />
<br />
{{hc|/etc/pacman.conf|2=<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///repo/<br />
}}<br />
<br />
Comment out all other repositories and save. Continue configuring the new system as usual.<br />
<br />
From now on any updates to the offline system can be made by bringing an up to date copy of the local repository, mounting it to {{ic|/repo}} and running pacman commands as usual.<br />
<br />
== See also ==<br />
<br />
* [[Offline reading]]: for browsing ArchWiki offline.</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Database_download&diff=781393Database download2023-06-18T07:52:10Z<p>Kynikos: merged to Help:Browsing#Offline viewing</p>
<hr />
<div>#redirect [[Help:Browsing#Offline viewing]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=GNU_(Qhichwa)&diff=781388GNU (Qhichwa)2023-06-18T07:41:54Z<p>Kynikos: add categories</p>
<hr />
<div>[[Category:GNU (Qhichwa)]]<br />
[[Category:Lists of software (Qhichwa)]]<br />
GNU nisqaqa llamk'achiy llikacham, huk antañiqiq wakichip hatun huñusqanmi ima. GNU nisqaqa tukuyninpi kacharisqa yanqalla softwarekunamanta ruwasqam, aswan achkanmi GNU Yuyay wakichiypa kikin Hatun Llaqtapaq Lisinsiya (GPL) nisqawan lisinsiyayuq. GNU nisqaqa "GNUpa mana Unixchu!"</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Distrobox&diff=781387Distrobox2023-06-18T07:41:00Z<p>Kynikos: categorize like Docker</p>
<hr />
<div>[[Category:Virtualization]]<br />
[[Category:Sandboxing]]<br />
Distrobox is a container wrapping layer that allows the user to install containerised versions of Linux that are different to the host while providing tight integration with the host allowing the use of binaries designed for one distribution to run on another.<br />
<br />
Distrobox itself is not a container manager and relies on [[Podman]] or [[Docker]] to create containers.<br />
<br />
From the Distrobox documentation:<br />
<br />
''Use any Linux distribution inside your terminal. Enable both backward and forward compatibility with software and freedom to use whatever distribution you’re more comfortable with. Distrobox uses podman or docker to create containers using the Linux distribution of your choice. The created container will be tightly integrated with the host, allowing sharing of the HOME directory of the user, external storage, external USB devices and graphical apps (X11/Wayland), and audio.''<br />
<br />
== Security implications ==<br />
<br />
The main goal of Distrobox is not focused on sandboxing the containers from the host (this would be impossible due to the tight integration nature of the project) and as such containers running inside Distrobox will have full access to your home folder as well as a few other locations.<br />
<br />
A sandboxed mode of operation is currently in the planning stages, you can track its progress [https://github.com/89luca89/distrobox/issues/28 here].<br />
<br />
It is recommended to use Podman over Docker since by default Docker will run containers as root and rootful containers '''will have unrestricted access to your hosts filesystem'''. Rootless Docker is currently not working though is being worked on.<br />
<br />
== Installation ==<br />
<br />
=== With root access ===<br />
<br />
First follow the page for '''either''' [[Podman]] or [[Docker]] and make sure you are able to install and run a Hello World container.<br />
<br />
[[Pacman#Installing_packages|Install]] either {{pkg|distrobox}} or {{aur|distrobox-git}}<br />
<br />
=== Without root access/Immutable filesystem ===<br />
<br />
Install Distrobox and Podman to your home folder using [[curl]] by running both of the following:<br />
<br />
{{ic|Distrobox}}<br />
$ curl -s https://raw.githubusercontent.com/89luca89/distrobox/main/install | sh -s -- --prefix ~/.local<br />
<br />
{{ic|Podman}}<br />
$ curl -s https://raw.githubusercontent.com/89luca89/distrobox/main/extras/install-podman | sh -s -- --prefix ~/.local<br />
<br />
Add the following locations to your {{ic|$PATH}} by setting a [[Environment_variables#Per_user|per user Environment Variable]]:<br />
$HOME/.local/bin<br />
$HOME/.local/podman/bin<br />
<br />
If you have issues with graphical applications running inside your containers then you also need to install {{pkg|xorg-xhost}} and add the following to {{ic|~/.bashrc}} or {{ic|~/.profile}} or {{ic|~/.xinitrc}}:<br />
xhost +si:localuser:$USER<br />
<br />
==== Uninstalling ====<br />
<br />
Distrobox provides an uninstallation script for rootless installs, to execute it run the following:<br />
$ curl -s https://raw.githubusercontent.com/89luca89/distrobox/main/uninstall | sh -s -- --prefix ~/.local<br />
{{Note| This script is only required if you installed rootless, if you installed via [[Pacman]] then you should [[Pacman#Removing_packages|uninstall]] in the usual way}}<br />
<br />
== Usage ==<br />
<br />
{{Note| <br />
* Throughout the following section {{ic|''name''}} is a variable and can be whatever you want. In all cases replace {{ic|''name''}} with the actual name you choose<br />
* For the full list of supported options in any sub category use {{ic|''--help''}}, for example to see all creation options use {{ic|distrobox create --help}}<br />
* A full list of supported distros along with their image names can be found at https://distrobox.privatedns.org/compatibility.html#containers-distros<br />
* For more advanced usage techniques please see the Distrobox Documentation page at https://distrobox.privatedns.org/usage/usage.html}}<br />
<br />
To create a new container run the following:<br />
$ distrobox create -n ''name''<br />
<br />
To list installed containers run the following:<br />
$ distrobox list<br />
<br />
To interact with an installed container run the following:<br />
$ distrobox enter ''name''<br />
<br />
or you can send a command directly to a container with:<br />
$ distrobox enter ''name'' -- ''command-to-execute''<br />
<br />
To stop a running container run the following:<br />
$ distrobox stop ''name''<br />
<br />
To delete a container run the following:<br />
$ distrobox rm ''name''<br />
<br />
To install a specific distro into a container run the following (in this example its Ubuntu):<br />
$ distrobox create --image ubuntu:22.04<br />
<br />
Installations can be fully customised as follows (in this example its a container called ''test'' running Gentoo with root access):<br />
$ distrobox create -i docker.io/gentoo/stage3:latest -n test --root<br />
<br />
If you need your container to have root access to the host then it is recommended that you use the {{ic|''--root''}} switch over {{ic|''sudo distrobox''}}.<br />
<br />
== Configuration ==<br />
<br />
It is possible to configure Distrobox in 2 ways, either with a configuration file or by using [[Environment variables|Environment Variables]].<br />
<br />
=== Configuation file ===<br />
<br />
Distrobox checks the following locations for config files, from least important to most important:<br />
<br />
* /usr/share/distrobox/distrobox.conf<br />
* /usr/etc/distrobox/distrobox.conf<br />
* /etc/distrobox/distrobox.conf<br />
* ${HOME}/.config/distrobox/distrobox.conf<br />
* ${HOME}/.distroboxrc<br />
<br />
An example config file is as follows:<br />
container_always_pull="1"<br />
container_generate_entry=0<br />
container_manager="docker"<br />
container_image_default="registry.opensuse.org/opensuse/toolbox:latest"<br />
container_name_default="test-name-1"<br />
container_user_custom_home="$HOME/.local/share/container-home-test"<br />
container_init_hook="~/.local/distrobox/a_custom_default_init_hook.sh"<br />
container_pre_init_hook="~/a_custom_default_pre_init_hook.sh"<br />
non_interactive="1"<br />
skip_workdir="0"<br />
<br />
=== Environment variables ===<br />
<br />
The following variables are available and should be set using a [[Environment_variables#Per_user|per user Environment Variable]]:<br />
DBX_CONTAINER_ALWAYS_PULL<br />
DBX_CONTAINER_CUSTOM_HOME<br />
DBX_CONTAINER_IMAGE<br />
DBX_CONTAINER_MANAGER<br />
DBX_CONTAINER_NAME<br />
DBX_CONTAINER_ENTRY<br />
DBX_NON_INTERACTIVE<br />
DBX_SKIP_WORKDIR<br />
<br />
== See also ==<br />
* [https://github.com/89luca89/distrobox/ Project Github page]<br />
* [https://distrobox.privatedns.org/ Project documentation page]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Bottles&diff=771193Bottles2023-03-05T08:30:51Z<p>Kynikos: categorize like Wine</p>
<hr />
<div>[[Category:Emulation]]<br />
[[Category:Gaming]]<br />
[[ja:Bottles]]<br />
Bottles is a [[Wine]] prefix manager written in [[Python]] using the [[GTK]] framework. It can be used to create and manage Wine prefixes as well as automatically handling the installation of various Wine runners, Windows dependencies and installation of some Windows applications. It can also be used to override Windows DLL files inside a prefix and manage environment variables for Wine sessions.<br />
<br />
It can be used to run Native Windows applications and games with, in most cases, near native performance and in its officially supported mode also supports application sandboxing.<br />
<br />
{{Note|The Bottles developers '''STRONGLY''' recommend that users install Bottles through [[Flatpak]] as it is used for sandboxing.}}<br />
<br />
== Installation ==<br />
<br />
Install Bottles from Flatpak using the following command<br />
<br />
$ flatpak install bottles<br />
<br />
== Usage ==<br />
<br />
Bottles has a thorough guide covering its usage at [https://docs.usebottles.com/ Bottles User Documentation]<br />
<br />
== See also ==<br />
<br />
* [https://usebottles.com/ Project homepage]<br />
* [https://github.com/bottlesdevs/Bottles Project Github page]<br />
* [https://docs.usebottles.com/ Project documentation]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Reposilite&diff=771191Reposilite2023-03-05T08:27:48Z<p>Kynikos: add category</p>
<hr />
<div>[[Category:Development]]<br />
[[ja:Reposilite]]<br />
From [https://github.com/dzikoysk/reposilite Reposilite], reposilite is a:<br />
<br />
:Lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. This is simple, extensible and scalable self-hosted solution to replace managers like Nexus, Archiva or Artifactory, with reduced resources consumption. <br />
<br />
== Installation ==<br />
<br />
[[Install]] {{AUR|reposilite}}, ''reposilite'' is also available on [[Unofficial user repositories#PolarRepo|PolarRepo]].<br />
<br />
== Package contents ==<br />
<br />
=== Configuration ===<br />
Configuration files are located in {{ic|/etc/reposilite}} :<br />
* {{ic|default.env}} : configuration variables used to run reposilite (allocated memory, user, working directory, configuration location)<br />
* {{ic|reposilite.cdn}} : main reposilite configuration file<br />
<br />
=== Data directory ===<br />
Reposilite data is stored in {{ic|/var/lib/reposilite}}. This include default shared configuration database as well as repositories contents.<br />
<br />
=== Service files ===<br />
Package include systemd service file for the {{ic|reposilite.service}}. It is not enabled by default<br />
<br />
== Getting started ==<br />
<br />
Reposilite does the majority of its configuration through the web interface. When you first install reposilite you will not have any user to login as (reposilite designates users as "tokens"). Before creating the first token, ensure that {{ic|reposilite.service}} is [[stop]]ped.<br />
<br />
Run the reposilite binary as root :<br />
<br />
# /usr/bin/reposilite<br />
<br />
This will start the server and a CLI interface in the terminal; the next set of commands will be run from the CLI (we will use {{ic|!}} to indicate that these command are run in the reposilite CLI) :<br />
<br />
! token-generate ''username'' m<br />
<br />
Remember to replace ''username'' with the desired username, it is best to let reposilite generate you a secure token, but if you wish to use your own token, you can use the following command:<br />
<br />
! token-generate --secret="''your password''" ''username'' m<br />
<br />
{{Warning|Do not use a weak token, if it is too easy to break an attacker could break into your reposilite server and potentially have access to your servers filesystem!}}<br />
<br />
{{Note|The trailing "m" character is used to give the user manager permissions (commonly known as an administrator, or root user within other applications), this will allow the user to configure reposilite, therefore keep this user safe!}}<br />
<br />
Now that you have generated the username (if you let reposilite generate your token, make sure to copy this down securely, a password manager is recommended), you can stop the reposilite server using the following command:<br />
<br />
! stop<br />
<br />
Reposilite will then gracefully shutdown and detach from your terminal.<br />
<br />
You can now [[start/enable]] {{ic|reposilite.service}} and you will be able to access the reposilite web interface over {{ic|http://127.0.0.1:8080}}.</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Inkscape&diff=764184Inkscape2023-01-15T05:38:52Z<p>Kynikos: :Category:Image is already inside :Category:Multimedia, remove the latter</p>
<hr />
<div>[[Category:Image]]<br />
[[de:Inkscape]]<br />
[[ja:Inkscape]]<br />
[[zh-hans:Inkscape]]<br />
[https://inkscape.org/ Inkscape] is a vector graphics editor application. It is distributed under a free software license, the GNU GPL. Its stated goal is to become a powerful graphics tool while being fully compliant with the XML, SVG, and CSS standards.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|inkscape}} package. For the development version, install the {{AUR|inkscape-git}} package.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Pan using spacebar and mouse does not work ===<br />
{{Move|libinput|This setting is not Inkscape specific}}<br />
By default, [[libinput]] disables the mousepad when typing. You can disable this by adding the following line to the {{ic|InputClass}} section of {{ic|/etc/X11/xorg.conf.d/30-touchpad.conf}}:<br />
<br />
Section "InputClass"<br />
...<br />
...<br />
Option "DisableWhileTyping" "0"<br />
EndSection<br />
<br />
== See also ==<br />
<br />
* [[List of applications/Multimedia]]<br />
* [[Wikipedia:Inkscape|Inkscape at Wikipedia]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Xournal%2B%2B&diff=764183Xournal++2023-01-15T05:37:59Z<p>Kynikos: add category</p>
<hr />
<div>[[Category:Applications]]<br />
[https://github.com/xournalpp/xournalpp Xournal++] is an open source handwriting app written in C++ supporting annotation of pdf files, it is a rewrite of Xournal to be more efficient and to enhance the functionality, while remaining backwards compatible with Xournal and is able to read and edit Xournal files (.xoj).<br />
<br />
== Installation ==<br />
<br />
[[Install]] {{Pkg|xournalpp}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Why has the pdf background disappeared after moving files? ===<br />
<br />
Xournal++ currently does not support including the pdf within files, thus both the pdf and `.xopp` file must be kept together otherwise the pdf background will disappear. This is currently being worked on, find the issue on [https://github.com/xournalpp/xournalpp/issues/937 Github].<br />
<br />
=== Can Xournal read Xournal++ files (.xopp)? ===<br />
<br />
Theoretically yes, according to the developers the file format is the same however `.xopp` store new features which are not included on Xournal, thus as long as only features supported in both Xournal and Xournal++ the file should be interchangable between applications.<br />
<br />
However, Xournal++ can export `.xopp` files as `.xoj` files to convert from Xournal++ to Xournal.</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Onedev&diff=764182Onedev2023-01-15T05:27:33Z<p>Kynikos: add categories</p>
<hr />
<div>[[Category:Git web interfaces]]<br />
[[Category:Servers]]<br />
OneDev is an open source git server developed by a single developer written in java. OneDev provides powerful search and navigation, easy to use CI/CD, searching through codebases using regular expression, and integrated Kanban support.<br />
<br />
OneDev currently does not provide any publicly available instances to use such as other git servers like [https://about.gitlab.com/ Gitlab], thus must be self hosted.<br />
<br />
== Installation ==<br />
<br />
[[Install]] {{AUR|onedev}}<br />
<br />
== Configuration ==<br />
<br />
Onedev has very limited configuration due to the majority of the configuration being done through the web interface. The configuration file can be found under {{ic|/opt/onedev/conf/server.properties}}.<br />
<br />
=== Default configuration ===<br />
<br />
{{hc|/opt/onedev/conf/server.properties|<br />
# Specify http port to access the server<br />
http_port{{=}}6610<br />
<br />
# Specify port for embedded ssh server that will enable ssh based services such as <br />
# git over ssh <br />
ssh_port{{=}}6611<br />
<br />
# path to directory containing CA PEM files to be trusted by OneDev. Non-absolute path is <br />
# considered to be relative to OneDev conf directory <br />
#trust_certs{{=}}trust-certs<br />
<br />
# Specify ip address for clustering. Leave empty to detect automatically <br />
# cluster_ip{{=}}<br />
<br />
# Specify port for clustering<br />
cluster_port{{=}}5701<br />
}}<br />
<br />
=== Reverse proxy ===<br />
<br />
By default, OneDev listens on port {{ic|6610}} for http connections. In order to securely access OneDev, a reverse proxy should be setup. [[nginx]] is recommended over another web server such as [[Apache HTTP Server]] as it is faster are more lightweight.<br />
<br />
Before configuring a reverse proxy you must have a functional nginx install, see [[nginx]] for installation. Once nginx is installed you can use the following configuration to reverse proxy OneDev<br />
<br />
{{hc|/etc/nginx/sites-enabled/onedev|<br />
server {<br />
listen 443 ssl;<br />
server_name onedev.foo.com;<br />
<br />
# SSL certificates<br />
ssl_certificate /path/to/your/fullchain;<br />
ssl_certificate_key /path/to/your/key;<br />
<br />
locaction / {<br />
proxy_pass http://127.0.0.1:6610<br />
}<br />
}<br />
}}<br />
<br />
Replace the {{ic|server_name}} with your domain name. <br><br />
Replace {{ic|ssl_certificate}} with the path to your fullchain file <br><br />
Replace {{ic|ssl_certificate_key}} with the path to your fullchain key<br />
<br />
==== Issuing SSL certificate ====<br />
<br />
For issuing SSL certificates, use [[Acme.sh]] as it allows automatic renewal, and is a lot more user friendly than [[Certbot]], however the ACME client you use is up to personal preference.<br />
<br />
==== Firewall ====<br />
<br />
If you are using a firewall such as [[ufw]], you will need to open port 443 to allow traffic to pass through to OneDev:<br />
<br />
{{ic|ufw allow 443}}<br />
<br />
This has to be ran as root, or append {{ic|doas}} (if you are using [[doas]]) or {{ic|sudo}} (if you are using [[sudo]]).<br />
<br />
==== Accessing OneDev from your domain ====<br />
<br />
In order to access your OneDev instance using the domain over HTTPS, you need to point your domain towards your server. Add an A record (or AAAA for IPv6 support) with your DNS provider for the {{ic|server_name}} specified in your nginx configuration, the A record must point to the IP address of the server running nginx, not the server running OneDev.</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Bubblewrap/Examples&diff=761401Bubblewrap/Examples2022-12-18T07:11:55Z<p>Kynikos: root section duplicated title, removed</p>
<hr />
<div>[[Categories:Sandboxing]]<br />
[[Category:Kernel]]<br />
== dhcpcd ==<br />
<br />
Create a simple [[dhcpcd]] sandbox: <br />
* Determine available kernel namespaces<br />
$ ls /proc/self/ns <br />
cgroup ipc mnt net pid uts<br />
{{Note|The absence of {{Ic|user}} indicates that the kernel has been built with {{ic|1=CONFIG_USER_NS=n}} or is user namespace restricted.}}<br />
<br />
* Bind as read-write the entire host {{ic|/}} directory to {{ic|/}} in the sandbox <br />
* Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox<br />
* Create new [[wikipedia:Inter-process_communication|IPC]] and [[control group]] namespaces<br />
* Create a new UTS namespace and set {{ic|dhcpcd}} as the hostname<br />
<br />
# /usr/bin/bwrap --bind / / --dev /dev --unshare-ipc --unshare-cgroup --unshare-uts --hostname dhcpcd /usr/bin/dhcpcd -q -b<br />
<br />
== Unbound ==<br />
<br />
Create a more granular and complex [[Unbound]] sandbox: <br />
* Bind as read-only the system {{ic|/usr}} directory to {{ic|/usr}} in the sandbox <br />
* Create a symbolic link from the system {{ic|/usr/lib}} directory to {{ic|/lib64}} in the sandbox <br />
* Bind as read-only the system {{ic|/etc}} directory to {{ic|/etc}} in the sandbox<br />
* Create empty {{ic|/var}} and {{ic|/run}} directories within the sandbox<br />
* Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox<br />
* Create new IPC and [[wikipedia:Process_identifier|PID]] and control group namespaces<br />
* Create a new UTS namespace and set {{ic|unbound}} as the hostname<br />
<br />
# /usr/bin/bwrap --ro-bind /usr /usr --symlink usr/lib /lib64 --ro-bind /etc /etc --dir /var --dir /run --dev /dev --unshare-ipc --unshare-pid --unshare-cgroup --unshare-uts --hostname unbound /usr/bin/unbound -d<br />
<br />
{{Tip|See [[systemd#Editing provided units]] to enable the bubblewrapping of systemd unit files including {{ic|unbound.service}}}}<br />
<br />
== Desktop ==<br />
<br />
Leverage Bubblewrap within [[desktop entries]]:<br />
* Bind as read-write the entire host {{ic|/}} directory to {{ic|/}} in the sandbox<br />
* Re-bind as read-only the {{ic|/var}} and {{ic|/etc}} directories in the sandbox<br />
* Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox<br />
* Create a tmpfs filesystem over the sandboxed {{ic|/run}} directory<br />
* Disable network access by creating new network namespace<br />
<br />
[Desktop Entry]<br />
Name=nano Editor<br />
Exec=bwrap --bind / / --dev /dev --tmpfs /run --unshare-net st -e nano -o . %f<br />
Type=Application<br />
MimeType=text/plain;<br />
{{Note|{{Ic|--dev /dev}} is required to write to {{Ic|/dev/pty}}}}<br />
<br />
* Example MuPDF desktop entry incorporating a {{Ic|mupdf.sh}} shell wrapper:<br />
<br />
[Desktop Entry]<br />
Name=MuPDF<br />
Exec=mupdf.sh %f<br />
Icon=application-pdf.svg<br />
Type=Application<br />
MimeType=application/pdf;application/x-pdf;<br />
<br />
{{Note|Ensure that {{Ic|mupdf.sh}} is located within your executable PATH e.g. {{Ic|1=PATH=$PATH:$HOME/bwrap}}}}<br />
<br />
== MuPDF ==<br />
<br />
The power and flexibility of ''bwrap'' is best revealed when used to create an environment within a shell wrapper:<br />
<br />
* Bind as read-only the host {{ic|/usr/bin}} directory to {{ic|/usr/bin}} in the sandbox <br />
* Bind as read-only the host {{ic|/usr/lib}} directory to {{ic|/usr/lib}} in the sandbox <br />
* Create a symbolic link from the system {{ic|/usr/lib}} directory to {{ic|/lib64}} in the sandbox <br />
* Create a [[tmpfs]] filesystem overlaying {{ic|/usr/lib/gcc}} in the sandbox<br />
** This effectively [[wikipedia:Blacklist_(computing)|blacklists]] the contents of {{ic|/usr/lib/gcc}} from appearing in the sandbox<br />
* Create a new tmpfs filesystem as the {{ic|$HOME}} directory in the sandbox<br />
* Bind as read-only an {{Ic|.Xauthority}} file and ''Documents'' directory into the sandbox<br />
** This effectively whitelists the {{Ic|.Xauthority}} file and ''Documents'' directory with recursion<br />
* Create a new tmpfs filesystem as the {{ic|/tmp}} directory in the sandbox<br />
* Whitelist the [[wikipedia:X_Window_System|X11]] socket by binding it into the sandbox as read-only<br />
* Clone and create private containers for all namespaces supported by the running kernel<br />
** If the kernel does not support non-privileged user namespaces, skip its creation and continue<br />
* Do not place network components into a private namespace<br />
** This allows for network access to follow URI hyperlinks<br />
<br />
#!/bin/sh<br />
#~/bwrap/mupdf.sh<br />
(exec bwrap \<br />
--ro-bind /usr/bin /usr/bin \<br />
--ro-bind /usr/lib /usr/lib \<br />
--symlink usr/lib /lib64 \<br />
--tmpfs /usr/lib/gcc \<br />
--tmpfs $HOME \<br />
--ro-bind $HOME/.Xauthority $HOME/.Xauthority \<br />
--ro-bind $HOME/Documents $HOME/Documents \<br />
--tmpfs /tmp \<br />
--ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \<br />
--unshare-all \<br />
--share-net \<br />
/usr/bin/mupdf "$@")<br />
<br />
{{Tip|Execute a shell wrapper substituting the existing executable with ''/usr/bin/sh'' to debug and verify the contents and filesystem structure of the sandbox.}}<br />
<br />
$ bwrap \<br />
--ro-bind /usr/bin /usr/bin \<br />
--ro-bind /usr/lib /usr/lib \<br />
--symlink usr/lib /lib64 \<br />
--tmpfs /usr/lib/gcc \<br />
--tmpfs $HOME \<br />
--ro-bind $HOME/.Xauthority $HOME/.Xauthority \<br />
--ro-bind $HOME/Desktop $HOME/Desktop \<br />
--tmpfs /tmp \<br />
--ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \<br />
--unshare-all \<br />
--share-net \<br />
/usr/bin/sh<br />
bash-4.4$ ls -AF<br />
.Xauthority Documents/<br />
<br />
Perhaps the most important rule to consider when building a bubblewrapped filesystem is that ''commands are executed in the order they appear''. From the [https://mupdf.com/ MuPDF] example above:<br />
<br />
* A tmpfs system is created followed by the bind mounting of an {{Ic|.Xauthority}} file and a ''Documents'' directory:<br />
--tmpfs $HOME \<br />
--ro-bind $HOME/.Xauthority $HOME/.Xauthority \<br />
--ro-bind $HOME/Documents $HOME/Documents \<br />
<br />
bash-4.4$ ls -a<br />
. .. .Xauthority Desktop<br />
<br />
* A tmpfs filesystem is created after the bind mounting of {{Ic|.Xauthority}} and overlays it so that only the ''Documents'' directory is visible within the sandbox:<br />
<br />
--ro-bind $HOME/.Xauthority $HOME/.Xauthority \<br />
--tmpfs $HOME \<br />
--ro-bind $HOME/Desktop $HOME/Desktop \<br />
<br />
bash-4.4$ ls -a<br />
. .. Desktop<br />
<br />
== p7zip ==<br />
<br />
Applications which have not yet been patched against [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296 known vulnerabilities] constitute prime candidates for bubblewrapping:<br />
<br />
* Bind as read-only the host {{ic|/usr/bin/7za}} executable path to the sandbox <br />
* Create a symbolic link from the system {{ic|/usr/lib}} directory to {{ic|/lib64}} in the sandbox <br />
* Blacklist the sandboxed contents of {{ic|/usr/lib/modules}} and {{ic|/usr/lib/systemd}} with tmpfs overlays<br />
* Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox<br />
* Bind as read-write the host {{ic|/sandbox}} directory to the {{ic|/sandbox}} directory in the sandbox<br />
** ''7za'' will only run in the host {{ic|/sandbox}} directory and/or its subdirectories when called from the shell wrapper<br />
* Create new cgroup/IPC/network/PID/UTS namespaces for the application and its processes<br />
** If the kernel does not support non-privileged user namespaces, skip its creation and continue<br />
** Creation of a new network namespace prevents the sandbox from obtaining network access <br />
* Add a custom or an arbitrary [[hostname]] to the sandbox such as {{ic|p7zip}}<br />
* Unset the {{ic|XAUTHORITY}} [[environment variable]] to hide the location of the X11 connection cookie<br />
** ''7za'' does not need to connect to an X11 display server to function properly<br />
* Start a new terminal session to prevent keyboard input from escaping the sandbox <br />
<br />
#!/bin/sh<br />
#~/bwrap/pz7ip.sh<br />
(exec bwrap \<br />
--ro-bind /usr/bin/7za /usr/bin/7za \<br />
--symlink usr/lib /lib64 \<br />
--tmpfs /usr/lib/modules \<br />
--tmpfs /usr/lib/systemd \<br />
--dev /dev \<br />
--bind /sandbox /sandbox \<br />
--unshare-all \<br />
--hostname p7zip \<br />
--unsetenv XAUTHORITY \<br />
--new-session \<br />
/usr/bin/7za "$@")<br />
<br />
{{Note|''/usr/bin/sh'' and ''/usr/bin/ls'' must reside in the executable path in order to traverse and verify the sandbox filesystem.}}<br />
<br />
bwrap \<br />
--ro-bind /usr/bin/7za /usr/bin/7za \<br />
'''--ro-bind /usr/bin/ls /usr/bin/ls \'''<br />
'''--ro-bind /usr/bin/sh /usr/bin/sh \'''<br />
--symlink usr/lib /lib64 \<br />
--tmpfs /usr/lib/modules \<br />
--tmpfs /usr/lib/systemd \<br />
--dev /dev \<br />
--bind /sandbox /sandbox \<br />
--unshare-all \<br />
--hostname p7zip \<br />
--unsetenv XAUTHORITY \<br />
--new-session \<br />
/usr/bin/sh<br />
bash: no job control in this shell<br />
bash-4.4$ ls -AF <br />
dev/ lib64@ usr/<br />
bash-4.4$ ls -l /usr/lib/modules <br />
total 0<br />
bash-4.4$ ls -l /usr/lib/systemd<br />
total 0<br />
bash-4.4$ ls -AF /dev<br />
console full null ptmx@ pts/ random shm/ stderr@ stdin@ stdout@ tty urandom zero<br />
bash-4.4$ ls -A /usr/bin<br />
7za ls sh<br />
<br />
== Firefox ==<br />
<br />
Network facing applications with large surface attack areas are also ideal candidates to be bubblewrapped:<br />
<br />
* [[Transmission]] included in the sandbox to launch with magnet and torrent links<br />
* Example wrap supports audio ([[PulseAudio]]) and printing ([[CUPS]]/[[Avahi]]) under [[GNOME]] ([[Wayland]])<br />
** Paths in {{ic|~/.config/transmission/settings.json}} should reflect the {{ic|--setenv HOME}} variable<br />
* Full paths are used to allow for keyboard bindings in environments which do not support variable expansion.<br />
* [[Firefox#Hardware video acceleration|WebRenderer]] and hardware (accelerated) compositing support included<br />
<br />
bwrap \<br />
--symlink usr/lib /lib \<br />
--symlink usr/lib64 /lib64 \<br />
--symlink usr/bin /bin \<br />
--symlink usr/bin /sbin \<br />
--ro-bind /usr/lib /usr/lib \<br />
--ro-bind /usr/lib64 /usr/lib64 \<br />
--ro-bind /usr/bin /usr/bin \<br />
--ro-bind /usr/lib/firefox /usr/lib/firefox \<br />
--ro-bind /usr/share/applications /usr/share/applications \<br />
--ro-bind /usr/share/gtk-3.0 /usr/share/gtk-3.0 \<br />
--ro-bind /usr/share/fontconfig /usr/share/fontconfig \<br />
--ro-bind /usr/share/icu /usr/share/icu \<br />
--ro-bind /usr/share/drirc.d /usr/share/drirc.d \<br />
--ro-bind /usr/share/fonts /usr/share/fonts \<br />
--ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \<br />
--ro-bind /usr/share/glvnd /usr/share/glvnd \<br />
--ro-bind /usr/share/icons /usr/share/icons \<br />
--ro-bind /usr/share/libdrm /usr/share/libdrm \<br />
--ro-bind /usr/share/mime /usr/share/mime \<br />
--ro-bind /usr/share/X11/xkb /usr/share/X11/xkb \<br />
--ro-bind /usr/share/icons /usr/share/icons \<br />
--ro-bind /usr/share/mime /usr/share/mime \<br />
--ro-bind /etc/fonts /etc/fonts \<br />
--ro-bind /etc/resolv.conf /etc/resolv.conf \<br />
--ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \<br />
--ro-bind /etc/ssl /etc/ssl \<br />
--ro-bind /etc/ca-certificates /etc/ca-certificates \<br />
--dir /run/user/"$(id -u)" \<br />
--ro-bind /run/user/"$(id -u)"/pulse /run/user/"$(id -u)"/pulse \<br />
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \<br />
--dev /dev \<br />
--dev-bind /dev/dri /dev/dri \<br />
--ro-bind /sys/dev/char /sys/dev/char \<br />
--ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \<br />
--proc /proc \<br />
--tmpfs /tmp \<br />
--bind /home/example/.mozilla /home/example/.mozilla \<br />
--bind /home/example/.config/transmission /home/example/.config/transmission \<br />
--bind /home/example/Downloads /home/example/Downloads \<br />
--setenv HOME /home/example \<br />
--setenv GTK_THEME Adwaita:dark \<br />
--setenv MOZ_ENABLE_WAYLAND 1 \<br />
--setenv PATH /usr/bin \<br />
--hostname RESTRICTED \<br />
--unshare-all \<br />
--share-net \<br />
--die-with-parent \<br />
--new-session \<br />
/usr/bin/firefox<br />
<br />
=== Enhancing privacy ===<br />
<br />
* Further restrictions can be made by removing specific entries<br />
** Remove the following entry to remove audio support:<br />
<br />
--ro-bind /run/user/"$(id -u)"/pulse /run/user/"$(id -u)"/pulse \<br />
<br />
* {{ic|/sandbox}} represents an arbitrary location defined by the user to hold desired profile information<br />
** This allows for the use of a [[Firefox/Privacy#Sanitized profiles|sanitized profile]] copied into {{ic|/sandbox}} via a script/cron job or manually e.g.<br />
<br />
$ cp -pR ~/.mozilla /sandbox/<br />
<br />
The location can be a network share, a USB mount, or a local filesystem or [[Firefox/Profile on RAM|ramfs/tmpfs location]]<br />
<br />
* Set {{ic|/home/r}} to obscure the actual {{ic|/home/example}}<br />
* Set new user ID and group ID values<br />
<br />
{{Note|Ensure that the selected UID and GID does not conflict with existing values listed in {{ic|/etc/passwd}} and<br />
{{ic|/etc/groups}}.}}<br />
<br />
bwrap \<br />
....<br />
--bind /sandbox/.mozilla /home/r/.mozilla \<br />
--bind /sandbox/Downloads /home/r/Downloads \<br />
...<br />
--setenv HOME /home/r \<br />
...<br />
--uid 200 --gid 400 \<br />
...<br />
/usr/bin/firefox --no-remote --private-window<br />
<br />
== Chromium ==<br />
<br />
A simple chromium sandbox on wayland and with pipewire:<br />
<br />
{{bc|1=<br />
bwrap \<br />
--symlink usr/lib /lib \<br />
--symlink usr/lib64 /lib64 \<br />
--symlink usr/bin /bin \<br />
--symlink usr/bin /sbin \<br />
--ro-bind /usr/lib /usr/lib \<br />
--ro-bind /usr/lib64 /usr/lib64 \<br />
--ro-bind /usr/bin /usr/bin \<br />
--ro-bind /etc /etc \<br />
--ro-bind /usr/lib/chromium /usr/lib/chromium \<br />
--ro-bind /usr/share /usr/share \<br />
--dev /dev \<br />
--dev-bind /dev/dri /dev/dri \<br />
--proc /proc \<br />
--ro-bind /sys/dev/char /sys/dev/char \<br />
--ro-bind /sys/devices /sys/devices \<br />
--ro-bind /run/dbus /run/dbus \<br />
--dir "$XDG_RUNTIME_DIR" \<br />
--ro-bind "$XDG_RUNTIME_DIR/wayland-1" "$XDG_RUNTIME_DIR/wayland-1" \<br />
--ro-bind "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0" \<br />
--ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse" \<br />
--tmpfs /tmp \<br />
--dir $HOME/.cache \<br />
--bind $HOME/.config/chromium $HOME/.config/chromium \<br />
--bind $HOME/Downloads $HOME/Downloads \<br />
/usr/bin/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland<br />
}}<br />
<br />
{{Warning|If you are using the {{pkg|linux-hardened}} kernel, you will not be able to use bubblewrap to sandbox chromium due to the {{ic|kernel.unprivileged_userns_clone}} [[sysctl]] being set to 0. You can set it to 1, however, this is not recommended {{Bug|36969}}.<br />
One alternative solution is to have chromium use the namespace created by bubblewrap. This can be achieved through {{AUR|zypak}} which is also used by flatpak to run electron based apps inside an additional namespace. Example code that demonstrates how to use zypak with chromium/electron can be found [https://github.com/valoq/bwscripts/blob/master/profiles/signal-desktop here]<br />
}}<br />
<br />
* [[PipeWire]]: {{ic|--ro-bind "/run/user/$(id -u)/pipewire-0" "/run/user/$(id -u)/pipewire-0" \}}<br />
** If you are not using pipewire, feel free to remove this line<br />
* {{ic|--bind $HOME/.config/chromium $HOME/.config/chromium \}} mounts your chromium configuration directory in the sandbox as readable and writable<br />
* {{ic|--bind $HOME/Downloads $HOME/Downloads \}} mounts your ~/Downloads directory in the sandbox as readable and writable<br />
* This example can be further improved for more isolation.<br />
<br />
== Skype for Linux ==<br />
<br />
{{AUR|skypeforlinux-stable-bin}} should be started with {{ic|/usr/share/skypeforlinux/skypeforlinux}} instead of {{ic|/usr/bin/skypeforlinux}}, because the latter is just a wrapper script which forks the main process in the background and terminates, which conflicts with the {{ic|--die-with-parent}} ''bwrap'' option.<br />
<br />
The following example provides these features:<br />
<br />
* {{ic|env -i}} ensures that all environment variables are unset.<br />
* Network is shared with the host ({{ic|--share-net}}), {{ic|/etc/resolv.conf}} is bind-mounted.<br />
* [[Xorg]] access: bind the {{ic|/tmp/.X11-unix/X0}} socket, set {{ic|$DISPLAY}}.<br />
* [[D-Bus]]: bind the {{ic|/run/user/$UID/bus}} socket, set {{ic|$DBUS_SESSION_BUS_ADDRESS}}.<br />
* Audio: bind the [[PulseAudio]] socket.<br />
* Video: dev-bind the {{ic|/dev/video0}} device.<br />
<br />
The directory on the host where you want to keep the Skype profile can be configured with {{ic|$HOST_PROFILE_PATH}}.<br />
<br />
{{bc|1=<br />
env -i bwrap \<br />
--ro-bind /usr /usr \<br />
--dir /home/r \<br />
--dir /tmp \<br />
--dir /var \<br />
--dir /run/user/$UID \<br />
--proc /proc \<br />
--dev /dev \<br />
--symlink usr/lib /lib \<br />
--symlink usr/lib64 /lib64 \<br />
--symlink usr/bin /bin \<br />
--symlink usr/sbin /sbin \<br />
--symlink ../tmp /var/tmp \<br />
--bind "$HOST_PROFILE_PATH" /home/r/.config/skypeforlinux \<br />
--ro-bind /etc/resolv.conf /etc/resolv.conf \<br />
--ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \<br />
--ro-bind /run/user/$UID/bus /run/user/$UID/bus \<br />
--ro-bind /run/user/$UID/pulse /run/user/$UID/pulse \<br />
--dev-bind /dev/video0 /dev/video0 \<br />
--chdir / \<br />
--unshare-all \<br />
--share-net \<br />
--hostname RESTRICTED \<br />
--die-with-parent \<br />
--new-session \<br />
--setenv PATH /usr/bin \<br />
--setenv HOME /home/r \<br />
--setenv XDG_RUNTIME_DIR "/run/user/$UID" \<br />
--setenv DISPLAY "$DISPLAY" \<br />
--setenv DBUS_SESSION_BUS_ADDRESS "unix:path=/run/user/$UID/bus" \<br />
/usr/share/skypeforlinux/skypeforlinux<br />
}}<br />
<br />
== Filesystem isolation ==<br />
<br />
{{Warning|It is the bubblewrap user’s responsibility to update the filesystem trees regularly.}}<br />
<br />
To further hide the contents of the file system (such as those in {{ic|/var}}, {{ic|/usr/bin}} and {{ic|/usr/lib}}) and to sandbox even the installation of software, pacman can be made to install Arch packages into isolated filesystem trees.<br />
<br />
In order to use pacman for installing software into the filesystem trees, you will need to install {{Pkg|fakeroot}} and {{Pkg|fakechroot}}.<br />
<br />
Suppose you want to install the {{ic|xterm}} package with pacman into an isolated filesystem tree. You should prepare your tree like this:<br />
<br />
$ MYPACKAGE=xterm<br />
$ mkdir -p ~/sandboxes/${MYPACKAGE}/files/var/lib/pacman<br />
$ mkdir -p ~/sandboxes/${MYPACKAGE}/files/etc<br />
$ cp /etc/pacman.conf ~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf<br />
<br />
You may want to edit {{ic|~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf}} and adjust the pacman configuration used:<br />
<br />
* Remove any undesired custom repositories and {{ic|IgnorePkg}}, {{ic|IgnoreGroup}}, {{ic|NoUpgrade}} and {{ic|NoExtract}} settings that are needed only for the host system.<br />
* You may need to remove the {{ic|CheckSpace}} option so pacman will not complain about errors finding the root filesystem for checking disk space.<br />
<br />
Then install the {{ic|base}} group along with the needed fakeroot into the isolated filesystem tree:<br />
<br />
$ fakechroot fakeroot pacman -Syu \<br />
--root ~/sandboxes/${MYPACKAGE}/files \<br />
--dbpath ~/sandboxes/${MYPACKAGE}/files/var/lib/pacman \<br />
--config ~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf \<br />
base fakeroot<br />
<br />
Since you will be repeatedly calling bubblewrap with the same options, make an alias:<br />
<br />
$ alias bw-install='bwrap \<br />
--bind ~/sandboxes/${MYPACKAGE}/files/ / \<br />
--ro-bind /etc/resolv.conf /etc/resolv.conf \<br />
--tmpfs /tmp \<br />
--proc /proc \<br />
--dev /dev \<br />
--chdir / '<br />
<br />
You will need to set up the [[Locale|locales]] by [[textedit|editing]] {{ic|~/sandboxes/${MYPACKAGE}/files/etc/locale.gen}} and running: <br />
<br />
$ bw-install locale-gen<br />
<br />
Then set up pacman’s keyring:<br />
<br />
$ bw-install fakeroot pacman-key --init<br />
$ bw-install fakeroot pacman-key --populate<br />
<br />
Now you can install the desired {{ic|xterm}} package.<br />
<br />
$ bw-install fakeroot pacman -S ${MYPACKAGE}<br />
<br />
If the pacman command fails here, try running the command for populating the keyring again.<br />
<br />
Congratulations. You now have an isolated filesystem tree containing {{ic|xterm}}. You can use {{ic|bw-install}} again to upgrade your filesystem tree.<br />
<br />
You can now run your software with bubblewrap. {{ic|''command''}} should be {{ic|xterm}} in this case.<br />
<br />
$ bwrap \<br />
--ro-bind ~/sandboxes/${MYPACKAGE}/files/ / \<br />
--ro-bind /etc/resolv.conf /etc/resolv.conf \<br />
--tmpfs /tmp \<br />
--proc /proc \<br />
--dev /dev \<br />
--chdir / \<br />
''command''<br />
<br />
Note that some files can be shared between packages. You can hardlink to all files of an existing parent filesystem tree to reuse them in a new tree:<br />
<br />
$ cp -al ~/sandboxes/${MYPARENTPACKAGE} ~/sandboxes/${MYPACKAGE}<br />
<br />
Then proceed with the installation as usual by calling pacman from {{ic|bw-install fakechroot fakeroot pacman …}}.</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Windows_PE/Tips_and_tricks&diff=761400Windows PE/Tips and tricks2022-12-18T07:10:06Z<p>Kynikos: categorize like parent</p>
<hr />
<div>[[Category:System administration]]<br />
== Update Intel Management Engine firmware ==<br />
<br />
You can use [[Windows PE]] in order to install updates for firmware such as [[Wikipedia:Intel_Management_Engine|Intel ME]] if your hardware manufacturer only provides Windows binaries, and you cannot update via [[Fwupd]].<br />
<br />
You will need to download :<br />
* your manufacturer's Intel ME update tool<br />
* drivers for the Intel Management Engine.<br />
<br />
Store both extracted archives in a folder, e.g.<br />
<br />
''/vendor_files''<br />
├── ''me_driver''<br />
└── ''update_tool''<br />
<br />
{{Note|You might need to use [[Wine]] and/or {{Pkg|cabextract}} in order to extract the drivers, according to how they are packaged.<br />
}}<br />
<br />
Proceed with [[Windows PE#Creating a bootable Windows PE image]] but make sure to :<br />
* choose a windows PE version for which your device vendor provides Intel ME drivers, i.e. 32-bit or 64-bit. <br />
* include the device drivers and update tool with {{ic|--overlay}}, e.g. : <br />
$ mkwinpeimg --iso --windows-dir=/media/winimg --overlay=''vendor_files'' winpe.iso<br />
<br />
Proceed with [[Windows PE#Booting Windows PE]], then load the drivers with<br />
X:\Windows\Systems32>cd \<br />
X:\>drvload ''me_driver''\...\heci.inf<br />
<br />
Finally, update the Intel ME firmware by using the update tool.<br />
<br />
{{Tip|You can use the [https://www.intel.com/content/www/us/en/download/19392/intel-converged-security-and-management-engine-version-detection-tool-intel-csmevdt.html Intel CSME version detection tool] to check for vulnerabilities}}<br />
<br />
== Custom Windows PE images ==<br />
<br />
Tools like [https://www.hirensbootcd.org/download/ Hiren's BootCD] and others include Windows PE and are around half the size (~2.8GB) of a full Windows ISO. They are often fuller featured boot environments and can include Internet Explorer, which may be helpful to look up {{ic|bcdedit}} or {{ic|bootrec}} commands to repair Windows boot manager.<br />
<br />
Hiren's BootCd is already bootable, it only needs to be extracted to a USB.<br />
<br />
dd bs=4M if=./HBCD_PE_x64.iso of=/dev/sdX status=progress && sync<br />
<br />
Make sure the USB key uses a GPT partition table as described in [[Windows PE#Prepare a bootable Windows PE USB key for UEFI systems]].</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Bubblewrap/Examples&diff=761399Bubblewrap/Examples2022-12-18T07:09:34Z<p>Kynikos: categorize like parent</p>
<hr />
<div>[[Categories:Sandboxing]]<br />
[[Category:Kernel]]<br />
== Usage examples ==<br />
<br />
=== dhcpcd ===<br />
<br />
Create a simple [[dhcpcd]] sandbox: <br />
* Determine available kernel namespaces<br />
$ ls /proc/self/ns <br />
cgroup ipc mnt net pid uts<br />
{{Note|The absence of {{Ic|user}} indicates that the kernel has been built with {{ic|1=CONFIG_USER_NS=n}} or is user namespace restricted.}}<br />
<br />
* Bind as read-write the entire host {{ic|/}} directory to {{ic|/}} in the sandbox <br />
* Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox<br />
* Create new [[wikipedia:Inter-process_communication|IPC]] and [[control group]] namespaces<br />
* Create a new UTS namespace and set {{ic|dhcpcd}} as the hostname<br />
<br />
# /usr/bin/bwrap --bind / / --dev /dev --unshare-ipc --unshare-cgroup --unshare-uts --hostname dhcpcd /usr/bin/dhcpcd -q -b<br />
<br />
=== Unbound ===<br />
<br />
Create a more granular and complex [[Unbound]] sandbox: <br />
* Bind as read-only the system {{ic|/usr}} directory to {{ic|/usr}} in the sandbox <br />
* Create a symbolic link from the system {{ic|/usr/lib}} directory to {{ic|/lib64}} in the sandbox <br />
* Bind as read-only the system {{ic|/etc}} directory to {{ic|/etc}} in the sandbox<br />
* Create empty {{ic|/var}} and {{ic|/run}} directories within the sandbox<br />
* Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox<br />
* Create new IPC and [[wikipedia:Process_identifier|PID]] and control group namespaces<br />
* Create a new UTS namespace and set {{ic|unbound}} as the hostname<br />
<br />
# /usr/bin/bwrap --ro-bind /usr /usr --symlink usr/lib /lib64 --ro-bind /etc /etc --dir /var --dir /run --dev /dev --unshare-ipc --unshare-pid --unshare-cgroup --unshare-uts --hostname unbound /usr/bin/unbound -d<br />
<br />
{{Tip|See [[systemd#Editing provided units]] to enable the bubblewrapping of systemd unit files including {{ic|unbound.service}}}}<br />
<br />
=== Desktop ===<br />
<br />
Leverage Bubblewrap within [[desktop entries]]:<br />
* Bind as read-write the entire host {{ic|/}} directory to {{ic|/}} in the sandbox<br />
* Re-bind as read-only the {{ic|/var}} and {{ic|/etc}} directories in the sandbox<br />
* Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox<br />
* Create a tmpfs filesystem over the sandboxed {{ic|/run}} directory<br />
* Disable network access by creating new network namespace<br />
<br />
[Desktop Entry]<br />
Name=nano Editor<br />
Exec=bwrap --bind / / --dev /dev --tmpfs /run --unshare-net st -e nano -o . %f<br />
Type=Application<br />
MimeType=text/plain;<br />
{{Note|{{Ic|--dev /dev}} is required to write to {{Ic|/dev/pty}}}}<br />
<br />
* Example MuPDF desktop entry incorporating a {{Ic|mupdf.sh}} shell wrapper:<br />
<br />
[Desktop Entry]<br />
Name=MuPDF<br />
Exec=mupdf.sh %f<br />
Icon=application-pdf.svg<br />
Type=Application<br />
MimeType=application/pdf;application/x-pdf;<br />
<br />
{{Note|Ensure that {{Ic|mupdf.sh}} is located within your executable PATH e.g. {{Ic|1=PATH=$PATH:$HOME/bwrap}}}}<br />
<br />
=== MuPDF ===<br />
<br />
The power and flexibility of ''bwrap'' is best revealed when used to create an environment within a shell wrapper:<br />
<br />
* Bind as read-only the host {{ic|/usr/bin}} directory to {{ic|/usr/bin}} in the sandbox <br />
* Bind as read-only the host {{ic|/usr/lib}} directory to {{ic|/usr/lib}} in the sandbox <br />
* Create a symbolic link from the system {{ic|/usr/lib}} directory to {{ic|/lib64}} in the sandbox <br />
* Create a [[tmpfs]] filesystem overlaying {{ic|/usr/lib/gcc}} in the sandbox<br />
** This effectively [[wikipedia:Blacklist_(computing)|blacklists]] the contents of {{ic|/usr/lib/gcc}} from appearing in the sandbox<br />
* Create a new tmpfs filesystem as the {{ic|$HOME}} directory in the sandbox<br />
* Bind as read-only an {{Ic|.Xauthority}} file and ''Documents'' directory into the sandbox<br />
** This effectively whitelists the {{Ic|.Xauthority}} file and ''Documents'' directory with recursion<br />
* Create a new tmpfs filesystem as the {{ic|/tmp}} directory in the sandbox<br />
* Whitelist the [[wikipedia:X_Window_System|X11]] socket by binding it into the sandbox as read-only<br />
* Clone and create private containers for all namespaces supported by the running kernel<br />
** If the kernel does not support non-privileged user namespaces, skip its creation and continue<br />
* Do not place network components into a private namespace<br />
** This allows for network access to follow URI hyperlinks<br />
<br />
#!/bin/sh<br />
#~/bwrap/mupdf.sh<br />
(exec bwrap \<br />
--ro-bind /usr/bin /usr/bin \<br />
--ro-bind /usr/lib /usr/lib \<br />
--symlink usr/lib /lib64 \<br />
--tmpfs /usr/lib/gcc \<br />
--tmpfs $HOME \<br />
--ro-bind $HOME/.Xauthority $HOME/.Xauthority \<br />
--ro-bind $HOME/Documents $HOME/Documents \<br />
--tmpfs /tmp \<br />
--ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \<br />
--unshare-all \<br />
--share-net \<br />
/usr/bin/mupdf "$@")<br />
<br />
{{Tip|Execute a shell wrapper substituting the existing executable with ''/usr/bin/sh'' to debug and verify the contents and filesystem structure of the sandbox.}}<br />
<br />
$ bwrap \<br />
--ro-bind /usr/bin /usr/bin \<br />
--ro-bind /usr/lib /usr/lib \<br />
--symlink usr/lib /lib64 \<br />
--tmpfs /usr/lib/gcc \<br />
--tmpfs $HOME \<br />
--ro-bind $HOME/.Xauthority $HOME/.Xauthority \<br />
--ro-bind $HOME/Desktop $HOME/Desktop \<br />
--tmpfs /tmp \<br />
--ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \<br />
--unshare-all \<br />
--share-net \<br />
/usr/bin/sh<br />
bash-4.4$ ls -AF<br />
.Xauthority Documents/<br />
<br />
Perhaps the most important rule to consider when building a bubblewrapped filesystem is that ''commands are executed in the order they appear''. From the [https://mupdf.com/ MuPDF] example above:<br />
<br />
* A tmpfs system is created followed by the bind mounting of an {{Ic|.Xauthority}} file and a ''Documents'' directory:<br />
--tmpfs $HOME \<br />
--ro-bind $HOME/.Xauthority $HOME/.Xauthority \<br />
--ro-bind $HOME/Documents $HOME/Documents \<br />
<br />
bash-4.4$ ls -a<br />
. .. .Xauthority Desktop<br />
<br />
* A tmpfs filesystem is created after the bind mounting of {{Ic|.Xauthority}} and overlays it so that only the ''Documents'' directory is visible within the sandbox:<br />
<br />
--ro-bind $HOME/.Xauthority $HOME/.Xauthority \<br />
--tmpfs $HOME \<br />
--ro-bind $HOME/Desktop $HOME/Desktop \<br />
<br />
bash-4.4$ ls -a<br />
. .. Desktop<br />
<br />
=== p7zip ===<br />
<br />
Applications which have not yet been patched against [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296 known vulnerabilities] constitute prime candidates for bubblewrapping:<br />
<br />
* Bind as read-only the host {{ic|/usr/bin/7za}} executable path to the sandbox <br />
* Create a symbolic link from the system {{ic|/usr/lib}} directory to {{ic|/lib64}} in the sandbox <br />
* Blacklist the sandboxed contents of {{ic|/usr/lib/modules}} and {{ic|/usr/lib/systemd}} with tmpfs overlays<br />
* Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox<br />
* Bind as read-write the host {{ic|/sandbox}} directory to the {{ic|/sandbox}} directory in the sandbox<br />
** ''7za'' will only run in the host {{ic|/sandbox}} directory and/or its subdirectories when called from the shell wrapper<br />
* Create new cgroup/IPC/network/PID/UTS namespaces for the application and its processes<br />
** If the kernel does not support non-privileged user namespaces, skip its creation and continue<br />
** Creation of a new network namespace prevents the sandbox from obtaining network access <br />
* Add a custom or an arbitrary [[hostname]] to the sandbox such as {{ic|p7zip}}<br />
* Unset the {{ic|XAUTHORITY}} [[environment variable]] to hide the location of the X11 connection cookie<br />
** ''7za'' does not need to connect to an X11 display server to function properly<br />
* Start a new terminal session to prevent keyboard input from escaping the sandbox <br />
<br />
#!/bin/sh<br />
#~/bwrap/pz7ip.sh<br />
(exec bwrap \<br />
--ro-bind /usr/bin/7za /usr/bin/7za \<br />
--symlink usr/lib /lib64 \<br />
--tmpfs /usr/lib/modules \<br />
--tmpfs /usr/lib/systemd \<br />
--dev /dev \<br />
--bind /sandbox /sandbox \<br />
--unshare-all \<br />
--hostname p7zip \<br />
--unsetenv XAUTHORITY \<br />
--new-session \<br />
/usr/bin/7za "$@")<br />
<br />
{{Note|''/usr/bin/sh'' and ''/usr/bin/ls'' must reside in the executable path in order to traverse and verify the sandbox filesystem.}}<br />
<br />
bwrap \<br />
--ro-bind /usr/bin/7za /usr/bin/7za \<br />
'''--ro-bind /usr/bin/ls /usr/bin/ls \'''<br />
'''--ro-bind /usr/bin/sh /usr/bin/sh \'''<br />
--symlink usr/lib /lib64 \<br />
--tmpfs /usr/lib/modules \<br />
--tmpfs /usr/lib/systemd \<br />
--dev /dev \<br />
--bind /sandbox /sandbox \<br />
--unshare-all \<br />
--hostname p7zip \<br />
--unsetenv XAUTHORITY \<br />
--new-session \<br />
/usr/bin/sh<br />
bash: no job control in this shell<br />
bash-4.4$ ls -AF <br />
dev/ lib64@ usr/<br />
bash-4.4$ ls -l /usr/lib/modules <br />
total 0<br />
bash-4.4$ ls -l /usr/lib/systemd<br />
total 0<br />
bash-4.4$ ls -AF /dev<br />
console full null ptmx@ pts/ random shm/ stderr@ stdin@ stdout@ tty urandom zero<br />
bash-4.4$ ls -A /usr/bin<br />
7za ls sh<br />
<br />
=== Firefox ===<br />
<br />
Network facing applications with large surface attack areas are also ideal candidates to be bubblewrapped:<br />
<br />
* [[Transmission]] included in the sandbox to launch with magnet and torrent links<br />
* Example wrap supports audio ([[PulseAudio]]) and printing ([[CUPS]]/[[Avahi]]) under [[GNOME]] ([[Wayland]])<br />
** Paths in {{ic|~/.config/transmission/settings.json}} should reflect the {{ic|--setenv HOME}} variable<br />
* Full paths are used to allow for keyboard bindings in environments which do not support variable expansion.<br />
* [[Firefox#Hardware video acceleration|WebRenderer]] and hardware (accelerated) compositing support included<br />
<br />
bwrap \<br />
--symlink usr/lib /lib \<br />
--symlink usr/lib64 /lib64 \<br />
--symlink usr/bin /bin \<br />
--symlink usr/bin /sbin \<br />
--ro-bind /usr/lib /usr/lib \<br />
--ro-bind /usr/lib64 /usr/lib64 \<br />
--ro-bind /usr/bin /usr/bin \<br />
--ro-bind /usr/lib/firefox /usr/lib/firefox \<br />
--ro-bind /usr/share/applications /usr/share/applications \<br />
--ro-bind /usr/share/gtk-3.0 /usr/share/gtk-3.0 \<br />
--ro-bind /usr/share/fontconfig /usr/share/fontconfig \<br />
--ro-bind /usr/share/icu /usr/share/icu \<br />
--ro-bind /usr/share/drirc.d /usr/share/drirc.d \<br />
--ro-bind /usr/share/fonts /usr/share/fonts \<br />
--ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \<br />
--ro-bind /usr/share/glvnd /usr/share/glvnd \<br />
--ro-bind /usr/share/icons /usr/share/icons \<br />
--ro-bind /usr/share/libdrm /usr/share/libdrm \<br />
--ro-bind /usr/share/mime /usr/share/mime \<br />
--ro-bind /usr/share/X11/xkb /usr/share/X11/xkb \<br />
--ro-bind /usr/share/icons /usr/share/icons \<br />
--ro-bind /usr/share/mime /usr/share/mime \<br />
--ro-bind /etc/fonts /etc/fonts \<br />
--ro-bind /etc/resolv.conf /etc/resolv.conf \<br />
--ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \<br />
--ro-bind /etc/ssl /etc/ssl \<br />
--ro-bind /etc/ca-certificates /etc/ca-certificates \<br />
--dir /run/user/"$(id -u)" \<br />
--ro-bind /run/user/"$(id -u)"/pulse /run/user/"$(id -u)"/pulse \<br />
--ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \<br />
--dev /dev \<br />
--dev-bind /dev/dri /dev/dri \<br />
--ro-bind /sys/dev/char /sys/dev/char \<br />
--ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \<br />
--proc /proc \<br />
--tmpfs /tmp \<br />
--bind /home/example/.mozilla /home/example/.mozilla \<br />
--bind /home/example/.config/transmission /home/example/.config/transmission \<br />
--bind /home/example/Downloads /home/example/Downloads \<br />
--setenv HOME /home/example \<br />
--setenv GTK_THEME Adwaita:dark \<br />
--setenv MOZ_ENABLE_WAYLAND 1 \<br />
--setenv PATH /usr/bin \<br />
--hostname RESTRICTED \<br />
--unshare-all \<br />
--share-net \<br />
--die-with-parent \<br />
--new-session \<br />
/usr/bin/firefox<br />
<br />
==== Enhancing privacy ====<br />
<br />
* Further restrictions can be made by removing specific entries<br />
** Remove the following entry to remove audio support:<br />
<br />
--ro-bind /run/user/"$(id -u)"/pulse /run/user/"$(id -u)"/pulse \<br />
<br />
* {{ic|/sandbox}} represents an arbitrary location defined by the user to hold desired profile information<br />
** This allows for the use of a [[Firefox/Privacy#Sanitized profiles|sanitized profile]] copied into {{ic|/sandbox}} via a script/cron job or manually e.g.<br />
<br />
$ cp -pR ~/.mozilla /sandbox/<br />
<br />
The location can be a network share, a USB mount, or a local filesystem or [[Firefox/Profile on RAM|ramfs/tmpfs location]]<br />
<br />
* Set {{ic|/home/r}} to obscure the actual {{ic|/home/example}}<br />
* Set new user ID and group ID values<br />
<br />
{{Note|Ensure that the selected UID and GID does not conflict with existing values listed in {{ic|/etc/passwd}} and<br />
{{ic|/etc/groups}}.}}<br />
<br />
bwrap \<br />
....<br />
--bind /sandbox/.mozilla /home/r/.mozilla \<br />
--bind /sandbox/Downloads /home/r/Downloads \<br />
...<br />
--setenv HOME /home/r \<br />
...<br />
--uid 200 --gid 400 \<br />
...<br />
/usr/bin/firefox --no-remote --private-window<br />
<br />
=== Chromium ===<br />
<br />
A simple chromium sandbox on wayland and with pipewire:<br />
<br />
{{bc|1=<br />
bwrap \<br />
--symlink usr/lib /lib \<br />
--symlink usr/lib64 /lib64 \<br />
--symlink usr/bin /bin \<br />
--symlink usr/bin /sbin \<br />
--ro-bind /usr/lib /usr/lib \<br />
--ro-bind /usr/lib64 /usr/lib64 \<br />
--ro-bind /usr/bin /usr/bin \<br />
--ro-bind /etc /etc \<br />
--ro-bind /usr/lib/chromium /usr/lib/chromium \<br />
--ro-bind /usr/share /usr/share \<br />
--dev /dev \<br />
--dev-bind /dev/dri /dev/dri \<br />
--proc /proc \<br />
--ro-bind /sys/dev/char /sys/dev/char \<br />
--ro-bind /sys/devices /sys/devices \<br />
--ro-bind /run/dbus /run/dbus \<br />
--dir "$XDG_RUNTIME_DIR" \<br />
--ro-bind "$XDG_RUNTIME_DIR/wayland-1" "$XDG_RUNTIME_DIR/wayland-1" \<br />
--ro-bind "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0" \<br />
--ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse" \<br />
--tmpfs /tmp \<br />
--dir $HOME/.cache \<br />
--bind $HOME/.config/chromium $HOME/.config/chromium \<br />
--bind $HOME/Downloads $HOME/Downloads \<br />
/usr/bin/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland<br />
}}<br />
<br />
{{Warning|If you are using the {{pkg|linux-hardened}} kernel, you will not be able to use bubblewrap to sandbox chromium due to the {{ic|kernel.unprivileged_userns_clone}} [[sysctl]] being set to 0. You can set it to 1, however, this is not recommended {{Bug|36969}}.<br />
One alternative solution is to have chromium use the namespace created by bubblewrap. This can be achieved through {{AUR|zypak}} which is also used by flatpak to run electron based apps inside an additional namespace. Example code that demonstrates how to use zypak with chromium/electron can be found [https://github.com/valoq/bwscripts/blob/master/profiles/signal-desktop here]<br />
}}<br />
<br />
* [[PipeWire]]: {{ic|--ro-bind "/run/user/$(id -u)/pipewire-0" "/run/user/$(id -u)/pipewire-0" \}}<br />
** If you are not using pipewire, feel free to remove this line<br />
* {{ic|--bind $HOME/.config/chromium $HOME/.config/chromium \}} mounts your chromium configuration directory in the sandbox as readable and writable<br />
* {{ic|--bind $HOME/Downloads $HOME/Downloads \}} mounts your ~/Downloads directory in the sandbox as readable and writable<br />
* This example can be further improved for more isolation.<br />
<br />
=== Skype for Linux ===<br />
<br />
{{AUR|skypeforlinux-stable-bin}} should be started with {{ic|/usr/share/skypeforlinux/skypeforlinux}} instead of {{ic|/usr/bin/skypeforlinux}}, because the latter is just a wrapper script which forks the main process in the background and terminates, which conflicts with the {{ic|--die-with-parent}} ''bwrap'' option.<br />
<br />
The following example provides these features:<br />
<br />
* {{ic|env -i}} ensures that all environment variables are unset.<br />
* Network is shared with the host ({{ic|--share-net}}), {{ic|/etc/resolv.conf}} is bind-mounted.<br />
* [[Xorg]] access: bind the {{ic|/tmp/.X11-unix/X0}} socket, set {{ic|$DISPLAY}}.<br />
* [[D-Bus]]: bind the {{ic|/run/user/$UID/bus}} socket, set {{ic|$DBUS_SESSION_BUS_ADDRESS}}.<br />
* Audio: bind the [[PulseAudio]] socket.<br />
* Video: dev-bind the {{ic|/dev/video0}} device.<br />
<br />
The directory on the host where you want to keep the Skype profile can be configured with {{ic|$HOST_PROFILE_PATH}}.<br />
<br />
{{bc|1=<br />
env -i bwrap \<br />
--ro-bind /usr /usr \<br />
--dir /home/r \<br />
--dir /tmp \<br />
--dir /var \<br />
--dir /run/user/$UID \<br />
--proc /proc \<br />
--dev /dev \<br />
--symlink usr/lib /lib \<br />
--symlink usr/lib64 /lib64 \<br />
--symlink usr/bin /bin \<br />
--symlink usr/sbin /sbin \<br />
--symlink ../tmp /var/tmp \<br />
--bind "$HOST_PROFILE_PATH" /home/r/.config/skypeforlinux \<br />
--ro-bind /etc/resolv.conf /etc/resolv.conf \<br />
--ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \<br />
--ro-bind /run/user/$UID/bus /run/user/$UID/bus \<br />
--ro-bind /run/user/$UID/pulse /run/user/$UID/pulse \<br />
--dev-bind /dev/video0 /dev/video0 \<br />
--chdir / \<br />
--unshare-all \<br />
--share-net \<br />
--hostname RESTRICTED \<br />
--die-with-parent \<br />
--new-session \<br />
--setenv PATH /usr/bin \<br />
--setenv HOME /home/r \<br />
--setenv XDG_RUNTIME_DIR "/run/user/$UID" \<br />
--setenv DISPLAY "$DISPLAY" \<br />
--setenv DBUS_SESSION_BUS_ADDRESS "unix:path=/run/user/$UID/bus" \<br />
/usr/share/skypeforlinux/skypeforlinux<br />
}}<br />
<br />
=== Filesystem isolation ===<br />
<br />
{{Warning|It is the bubblewrap user’s responsibility to update the filesystem trees regularly.}}<br />
<br />
To further hide the contents of the file system (such as those in {{ic|/var}}, {{ic|/usr/bin}} and {{ic|/usr/lib}}) and to sandbox even the installation of software, pacman can be made to install Arch packages into isolated filesystem trees.<br />
<br />
In order to use pacman for installing software into the filesystem trees, you will need to install {{Pkg|fakeroot}} and {{Pkg|fakechroot}}.<br />
<br />
Suppose you want to install the {{ic|xterm}} package with pacman into an isolated filesystem tree. You should prepare your tree like this:<br />
<br />
$ MYPACKAGE=xterm<br />
$ mkdir -p ~/sandboxes/${MYPACKAGE}/files/var/lib/pacman<br />
$ mkdir -p ~/sandboxes/${MYPACKAGE}/files/etc<br />
$ cp /etc/pacman.conf ~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf<br />
<br />
You may want to edit {{ic|~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf}} and adjust the pacman configuration used:<br />
<br />
* Remove any undesired custom repositories and {{ic|IgnorePkg}}, {{ic|IgnoreGroup}}, {{ic|NoUpgrade}} and {{ic|NoExtract}} settings that are needed only for the host system.<br />
* You may need to remove the {{ic|CheckSpace}} option so pacman will not complain about errors finding the root filesystem for checking disk space.<br />
<br />
Then install the {{ic|base}} group along with the needed fakeroot into the isolated filesystem tree:<br />
<br />
$ fakechroot fakeroot pacman -Syu \<br />
--root ~/sandboxes/${MYPACKAGE}/files \<br />
--dbpath ~/sandboxes/${MYPACKAGE}/files/var/lib/pacman \<br />
--config ~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf \<br />
base fakeroot<br />
<br />
Since you will be repeatedly calling bubblewrap with the same options, make an alias:<br />
<br />
$ alias bw-install='bwrap \<br />
--bind ~/sandboxes/${MYPACKAGE}/files/ / \<br />
--ro-bind /etc/resolv.conf /etc/resolv.conf \<br />
--tmpfs /tmp \<br />
--proc /proc \<br />
--dev /dev \<br />
--chdir / '<br />
<br />
You will need to set up the [[Locale|locales]] by [[textedit|editing]] {{ic|~/sandboxes/${MYPACKAGE}/files/etc/locale.gen}} and running: <br />
<br />
$ bw-install locale-gen<br />
<br />
Then set up pacman’s keyring:<br />
<br />
$ bw-install fakeroot pacman-key --init<br />
$ bw-install fakeroot pacman-key --populate<br />
<br />
Now you can install the desired {{ic|xterm}} package.<br />
<br />
$ bw-install fakeroot pacman -S ${MYPACKAGE}<br />
<br />
If the pacman command fails here, try running the command for populating the keyring again.<br />
<br />
Congratulations. You now have an isolated filesystem tree containing {{ic|xterm}}. You can use {{ic|bw-install}} again to upgrade your filesystem tree.<br />
<br />
You can now run your software with bubblewrap. {{ic|''command''}} should be {{ic|xterm}} in this case.<br />
<br />
$ bwrap \<br />
--ro-bind ~/sandboxes/${MYPACKAGE}/files/ / \<br />
--ro-bind /etc/resolv.conf /etc/resolv.conf \<br />
--tmpfs /tmp \<br />
--proc /proc \<br />
--dev /dev \<br />
--chdir / \<br />
''command''<br />
<br />
Note that some files can be shared between packages. You can hardlink to all files of an existing parent filesystem tree to reuse them in a new tree:<br />
<br />
$ cp -al ~/sandboxes/${MYPARENTPACKAGE} ~/sandboxes/${MYPACKAGE}<br />
<br />
Then proceed with the installation as usual by calling pacman from {{ic|bw-install fakechroot fakeroot pacman …}}.</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Arch_LVM_%E9%85%8D%E7%BD%AE_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759868Arch LVM 配置 (简体中文)2022-12-11T04:52:19Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:LVM]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=PPTP_Server_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759867PPTP Server (简体中文)2022-12-11T04:52:15Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:PPTP server]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=%E9%9D%9E%E5%AE%98%E6%96%B9%E8%BD%AF%E4%BB%B6%E4%BB%93%E5%BA%93&diff=759866非官方软件仓库2022-12-11T04:52:12Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Unofficial user repositories]]<br />
[[Category:Package management (简体中文)]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=%E9%9D%9E%E5%AE%98%E6%96%B9%E7%94%A8%E6%88%B7%E5%AD%98%E5%82%A8%E5%BA%93&diff=759865非官方用户存储库2022-12-11T04:52:11Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Unofficial user repositories]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Archlinuxcn_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759864Archlinuxcn (简体中文)2022-12-11T04:52:09Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#redirect [[zh-hans:Unofficial user repositories#archlinuxcn]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=WPA_supplicant_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759863WPA supplicant (简体中文)2022-12-11T04:52:06Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Wpa supplicant]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=WPA_Supplicant_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759862WPA Supplicant (简体中文)2022-12-11T04:52:03Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Wpa supplicant]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=WPA_%E5%AE%A2%E6%88%B7%E7%AB%AF&diff=759861WPA 客户端2022-12-11T04:51:59Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Wpa supplicant]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=AboutWiki_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759860AboutWiki (简体中文)2022-12-11T04:51:57Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:ArchWiki:About]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=ArchWiki_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759859ArchWiki (简体中文)2022-12-11T04:51:56Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#redirect [[zh-hans:ArchWiki:About]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=ArchWiki_%E7%BB%B4%E6%8A%A4%E5%9B%A2%E9%98%9F&diff=759856ArchWiki 维护团队2022-12-11T04:51:45Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#redirect [[zh-hans:ArchWiki:Maintenance Team]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=%E7%BB%B4%E6%8A%A4%E5%9B%A2%E9%98%9F&diff=759855维护团队2022-12-11T04:51:44Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#redirect [[zh-hans:ArchWiki:Maintenance Team]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Wiki_News_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759854Wiki News (简体中文)2022-12-11T04:51:40Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:ArchWiki:News]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=%E6%96%87%E7%AB%A0%E5%91%BD%E5%90%8D%E8%A7%84%E5%88%99&diff=759853文章命名规则2022-12-11T04:51:36Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT[[zh-hans:Help:Article naming guidelines]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=%E6%96%87%E7%AB%A0%E5%91%BD%E5%90%8D%E8%A7%84%E8%8C%83&diff=759852文章命名规范2022-12-11T04:51:32Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT[[zh-hans:Help:Article naming guidelines]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Writing_Short_Article_Names_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759851Writing Short Article Names (简体中文)2022-12-11T04:51:28Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT[[zh-hans:Help:Article naming guidelines]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Article_Naming_Guidelines_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759850Article Naming Guidelines (简体中文)2022-12-11T04:51:25Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Help:Article naming guidelines]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Arch_%E6%96%87%E7%AB%A0%E5%91%BD%E5%90%8D%E8%A7%84%E5%88%99_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=759849Arch 文章命名规则 (简体中文)2022-12-11T04:51:21Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT[[zh-hans:Help:Article naming guidelines]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Arch_AUR_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=758860Arch AUR (简体中文)2022-12-04T07:31:18Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Arch User Repository]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=AUR_User_Guidelines_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=758859AUR User Guidelines (简体中文)2022-12-04T07:31:17Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Arch User Repository]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=AUR_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=758858AUR (简体中文)2022-12-04T07:31:16Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Arch User Repository]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=AUR_%E7%94%A8%E6%88%B7%E6%8C%87%E5%8D%97_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=758857AUR 用户指南 (简体中文)2022-12-04T07:31:15Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:Arch User Repository]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Kernel_Panics_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=758856Kernel Panics (简体中文)2022-12-04T07:31:14Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#redirect [[zh-hans:General troubleshooting]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=%E6%81%A2%E5%A4%8D%E4%B8%8A%E4%B8%80%E7%89%88%E6%9C%AC%E7%9A%84%E5%86%85%E6%A0%B8_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=758855恢复上一版本的内核 (简体中文)2022-12-04T07:31:13Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:General troubleshooting]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Arch_QEMU%E8%AE%BE%E7%BD%AE_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=758854Arch QEMU设置 (简体中文)2022-12-04T07:31:12Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[zh-hans:QEMU]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=VirtualBox_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)/Tips_and_tricks_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=758853VirtualBox (简体中文)/Tips and tricks (简体中文)2022-12-04T07:31:10Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#redirect [[zh-hans:VirtualBox]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Mod_python_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&diff=748256Mod python (Русский)2022-09-25T05:55:33Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[Apache HTTP Server/mod wsgi]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Mod_python-ru&diff=748255Mod python-ru2022-09-25T05:55:30Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[Apache HTTP Server/mod wsgi]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)/mod_python_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&diff=748254Apache HTTP Server (Русский)/mod python (Русский)2022-09-25T05:55:27Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[Apache HTTP Server/mod wsgi]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Mod_python&diff=748253Mod python2022-09-25T05:55:25Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[Apache HTTP Server/mod wsgi]]<br />
{{DISPLAYTITLE:mod_python}}</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server/mod_python_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&diff=748252Apache HTTP Server/mod python (Русский)2022-09-25T05:55:23Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[Apache HTTP Server/mod wsgi]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server/mod_python_(Espa%C3%B1ol)&diff=748251Apache HTTP Server/mod python (Español)2022-09-25T05:55:22Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[Apache HTTP Server (Español)/mod wsgi (Español)]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Mod_python_(Espa%C3%B1ol)&diff=748250Mod python (Español)2022-09-25T05:55:21Z<p>Kynikos: fix double redirect</p>
<hr />
<div>#REDIRECT [[Apache HTTP Server (Español)/mod wsgi (Español)]]</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Wim_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=742577Wim (简体中文)2022-08-21T10:49:53Z<p>Kynikos: add category</p>
<hr />
<div>[[Category:File formats (简体中文)]]<br />
[[en:Wim]]<br />
WIM是英文Microsoft Windows Imaging Format(WIM)的简称,它是Windows基于文件的映像格式。<br />
<br />
WIM格式常被用于 Windows 的安装程式中。<br />
<br />
在Linux下,{{Pkg|wimlib}}可以操作它。<br />
<br />
== 查看信息 ==<br />
<br />
可以通过<br />
<br />
$ wiminfo ''映像档案''<br />
<br />
查看 WIM 档案的信息(包括但不限于:名称、索引等)。<br />
<br />
== 挂载 ==<br />
<br />
WIM 作为一个映像档案,可通过以下指令挂载<br />
<br />
=== 只读挂载 ===<br />
<br />
# wimmount ''映像档案'' ''索引'' ''目录''<br />
<br />
=== 挂载为可读写 ===<br />
<br />
# winmountrw ''映像档案'' ''索引'' ''目录''<br />
<br />
=== 卸载 ===<br />
<br />
# wimumount ''目录'' --commit<br />
<br />
来应用可读写挂载中的更改。<br />
<br />
{{Warning|如果没有参数 --commit ,将不会应用更改。}}<br />
<br />
== 目录结构 ==<br />
<br />
要查看 WIM 映像的目录结构,使用:<br />
<br />
# wimdir ''映像档案'' ''索引''<br />
<br />
== 应用映像 ==<br />
<br />
使用:<br />
<br />
# wimapply ''映像档案'' ''索引'' ''目标目录''<br />
<br />
来应用映像,<br />
<br />
== 压缩 ==<br />
<br />
一般制作启动盘都需要格式化为 fat32 文件,windows.iso 大于 4GiB 以至于无法拷贝到 fat32 文件系统,你需要压缩 install.wim 才能完成这项操作。<br />
<br />
# wimlib-imagex optimize install.wim --solid</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Wim&diff=742576Wim2022-08-21T10:49:31Z<p>Kynikos: add category</p>
<hr />
<div>[[Category:File formats]]<br />
[[zh-hans:Wim]]<br />
WIM (''M''icrosoft ''W''indows ''I''maging Format) is a file-based disk image format for Windows. It is often used in Windows installers.<br />
<br />
On Linux, {{Pkg|wimlib}} can be used on these files.<br />
<br />
== View information ==<br />
<br />
To view information about the WIM file (including but not limited to: name, index, etc…), use: <br />
<br />
$ wiminfo ''image_file''<br />
<br />
== Mount ==<br />
<br />
WIM as an image file can be mounted with the following command<br />
<br />
=== Read-only mount ===<br />
<br />
# wimmount ''image_file'' ''index'' ''directory''<br />
<br />
=== Mount as read/write ===<br />
<br />
# winmount'''rw''' ''image_file'' ''index'' ''directory''<br />
<br />
=== unmount ===<br />
<br />
# wimumount ''directory'' --commit<br />
<br />
to apply the changes in the read-write mount.<br />
<br />
{{Warning|No changes will be applied without the {{ic|--commit}} parameter.}}<br />
<br />
== Directory structure ==<br />
<br />
To view the directory structure of a WIM image, use: <br />
<br />
# wimdir ''image_file'' ''index''<br />
<br />
== Extract the image ==<br />
<br />
To extract the full image, do: <br />
<br />
# wimapply ''image_file'' ''index'' ''target_directory''<br />
<br />
== Compression ==<br />
<br />
The Windows ISO is larger than 4GiB, so it cannot be copied to a boot disk formatted with the FAT32 file system, you will need to compress {{ic|install.wim}} to do this: <br />
<br />
# wimlib-imagex optimize install.wim --solid</div>Kynikoshttps://wiki.archlinux.org/index.php?title=Laptop/Dell&diff=742571Laptop/Dell2022-08-21T10:45:29Z<p>Kynikos: add category</p>
<hr />
<div>{{Laptops navigation}}<br />
[[Category:Dell]]<br />
== Inspiron ==<br />
<br />
{{Laptops table header}}<br />
| Inspiron 1420 || 2012-09 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || || <br />
|-<br />
| Inspiron 1501 || 2007-05-17 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{-}} || {{Y|Untested}} || || <br />
|-<br />
| Inspiron 1520 || 2008-03-31 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || || <br />
|-<br />
| Inspiron 1525 || 2008-06-24 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{-}} || {{Y|Untested}} || || {{ic|Fn+Up/Down}} (LCD brightness control) is OS independent.<br />
|-<br />
| Inspiron 1764 || 2011-08-19 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || || Fan control/monitoring is completely broken with {{AUR|i8kutils}}<br />
|-<br />
| Inspiron 14 (3420) || 2016-09-03 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{G|Hibernate: Untested}} || || Requires {{Pkg|broadcom-wl-dkms}} <br />
<br />
|-<br />
| Inspiron 14 5425 || 2022-06-26 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{Y|SD card reader: Untested}} || <br />
|-<br />
| Inspiron 15 (3541) || 2016-01-01 || {{Y|Untested}} || {{Y|Untested}} || {{Y|Untested}} || {{Y|Untested}} || {{Y|Untested}} || {{G|Yes<sup>*</sup>}} || || <sup>*</sup>Need to disable early microcode loading<br />
|-<br />
| Inspiron 15 (5547) || 2016-01-25 || {{G|AMD GPU: Untested}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|SD card reader: Untested}} || <br />
|-<br />
| Inspiron 15 (5566) || 2020-09-24 || {{G|Yes<sup>*</sup>}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|SD card reader: Untested}} || <sup>*</sup>HDMI untested.<br />
|-<br />
| Inspiron 15 (5559) || 2021-07-19 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || || <br />
|-<br />
| Inspiron 15 (7537) || 2016-06-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || colspan=2 | Volume up / down button needs some modifying to work all other buttons work with drivers that come with the kernel. ACPI battery is not detected on bootup and requires you to plug in and out the AC adapter.<br />
|-<br />
| Inspiron 15 (7570) || 2021-10-27 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || colspan=2 | USB-C DisplayPort alt-mode tested with a Dell P2721Q monitor. 65W of power, USB hub and Video delivered over USB-C work well. Rare issues with the monitor sometimes losing the video connection when switching users or logging out (on resolution changes). The power and USB keep working though.<br />
|-<br />
| Inspiron 15 (7548) || 2015-05 || {{G|Yes<sup>*</sup>}} || {{Y|Untested}} || {{-}} || {{Yes}} || {{Yes}} || {{G|Hibernate: Untested}} || {{Y|SD card reader: Untested}} || <sup>*</sup>HDMI untested.<br/>If the kernel [https://bbs.archlinux.org/viewtopic.php?id=200763 panics] during bootup replace the 'keyboard'-hook with the specific module.<br />
|-<br />
| Inspiron 15 (7559) || 2016-08 || {{G|Yes<sup>*</sup>}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <sup>*</sup>[https://github.com/Bumblebee-Project/bbswitch/issues/140 bumblebee with issue]<br />
|-<br />
| Inspiron 15 (7566) || 2016-12 || {{G|Yes<sup>*</sup>}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Hibernate: Untested}} || || <sup>*</sup>HDMI hot-plug not working.<br />
|-<br />
| [[Dell Inspiron 15 (7590)|Inspiron 15 (7590)]] || 2020-02 || {{Yes}} || {{Y|Partial<sup>*</sup>}} || {{-}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || {{Y|Thunderbolt: Untested}} || <sup>*</sup>See dedicated page<br />
|-<br />
| Inspiron 13 (7370) || 2017-12 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Y|Partial<sup>*</sup>}} || [https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1641290 Fingerprint reader is unsupported].|| <sup>*</sup>Does not wake up after closing the screen lid.<br/>{{ic|Fn}} [https://bugzilla.kernel.org/show_bug.cgi?id=198393 Wireless toggle does not work]<br />
|-<br />
| Inspiron M5030 || 2015-08-16 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{-}} || {{Y|Untested}} || || {{AUR|i8kutils}} required for fan control<br />
|-<br />
| Inspiron Duo 1090 || 2014-10-01 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Y|Untested}} || {{G|Hibernate: Untested}} || || <br />
|-<br />
| Inspiron 15 (5567) || 2020-04-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell Inspiron 5575|Inspiron 15 (5575)]] || 2019-12-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested:<br/>HDMI<br/>SD card reader}} || <br />
|-<br />
| [[Dell Inspiron 7586|Inspiron 15 (7586)]] || 2019-07-01 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{G|Hibernate: Untested}} || {{Y|Webcam: Untested}} || Fingerprint reader works with proprietary driver.<br />
|-<br />
| [[Dell Inspiron 13 (5391)|Inspiron 13 (5391)]] || 2020-09 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Y|Untested}} || {{-}} || || <br />
|-<br />
| Inspiron 13 (7348) || 2021 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{G|Hibernate: Untested}} || || <br />
|-<br />
| Inspiron 14 7425 2-in-1 || 2022-05-05 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{No}} || {{Yes}} || {{Y|Fingerprint reader: Untested}} || <br />
|-<br />
| [[Dell Inspiron 16 Plus (7620)|Inspiron 16 Plus (7620)]] || 2022-08-08 || {{Yes}} || {{Y|Only bottom speakers work}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Finger print reader: It works if it is used only in one operating system}} || <br />
|}<br />
<br />
== Latitude ==<br />
<br />
{{Laptops table header}}<br />
| Latitude D620 || 2007-05-17 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Y|Untested: Smart card reader}} || <br />
|-<br />
| Latitude D820 || 2007-05-17 || {{Yes}} || {{Yes}} || {{Yes}} ||{{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| Latitude D830 || 2007-08-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || ||<br />
|-<br />
| Latitude 3540 || 2022-06-28 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || colspan=2 | Flaky Bluetooth coexistence with WiFi<br />
|-<br />
| Latitude E5400 || 2021-11-11 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || Bluetooth LED does not glow. || <br />
|-<br />
| Latitude 5290 2-in-1 || 2022-05 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Y|Power off: OK}} || {{Y|Untested:<br/>Webcam<br/>Fingerprint sensor}} || <br />
|-<br />
| Latitude 5490 || 2022-02 || {{Yes}} || {{G|Yes<sup>*</sup>}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Hibernate: Untested<sup>**</sup>}} || Random Screen flicker with ''i915 [drm] *ERROR* CPU pipe A FIFO underrun'' in kernel logs. Solved with {{ic|1=intel_idle.max_cstate=4}} || <sup>*</sup>[[Laptop#Audio_mute_LED|audio mute LED]] use {{ic|1=model=mute-led-gpio}}<br/><sup>**</sup>[https://bbs.archlinux.org/viewtopic.php?pid=1902231#p1902231 Kernel panic on suspend] solved with {{ic|1=acpi_enforce_resources=lax i915.enable_dc=0}}<br />
|-<br />
| Latitude E5500 || 2016-03-01 || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || || <br />
|-<br />
| [[Dell Latitude E5430|Latitude E5430]] || 2016-02-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| Latitude E5540 || 2016-02-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || || <br />
|-<br />
| Latitude E5570 || 2017-02-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || || BIOS may report incorrect RAM size, OK on UEFI.<br />
|-<br />
| [[Dell Latitude E5580|Latitude E5580]] || 2018-07-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| Latitude E5401 || 2019-10 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Hibernate: Untested}} || {{Y|Untested:<br/>Webcam<br/>Thunderbolt}} || Poor thermal design (i7 i7-9850H CPU @ 2.60GHz)<br />
|-<br />
| Latitude E6230 || 2018-12 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{-}} || {{G|Hibernate: Untested}} || RFID reader requires [https://blog.g3rt.nl/enable-dell-nfc-contactless-reader.html enabling RFID radio]<br/>Touchpad (alps a10) shaky || <br />
|-<br />
| Latitude E6410 || 2018-06-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{Y|Partial<sup>*</sup>}} || Fingerprint Sensor not functioning, no drivers seem to exist || <sup>*</sup>Suspension on closing the lid not working right<br />
|-<br />
| Latitude E6410 (BIOS A16)|| 2018-08-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || SD card reader is unreliable. For advanced touchpad functionality see [[Touchpad Synaptics]] || [[EFISTUB]] bootmanager does not work for me, [[GRUB]] works. <br />
|-<br />
| Latitude E6420 || 2011-08-19 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || || <br />
|-<br />
| Latitude E6430 || 2018-12 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{G|Hibernate: Untested}} || colspan=2 | Touchpad shaky, use {{Pkg|pcsc-tools}} for smartcards and [https://blog.g3rt.nl/enable-dell-nfc-contactless-reader.html enable] NFC/RFID if needed.<br />
|-<br />
| Latitude E6530 || 2014-10-01 || {{G|Yes<sup>*</sup>}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <sup>*</sup>If Optimus is enabled, output is VGA only, otherwise HDMI works when NVIDIA GPU is disabled in BIOS.<br />
|-<br />
| [[Dell Latitude E7270|Latitude E7270]] || 2017-01-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{G|Yes<sup>*</sup>}} || || <sup>*</sup>After UEFI update<br/>High suspend usage with power share port active<br />
|-<br />
| [[Dell Latitude 7370|Latitude 7370]] || 2019-05-11 || {{Yes}} || {{Y|Untested}} || {{-}} || {{Y|Untested}} || {{Y|Untested}} || {{Y|Untested}} || ||<br />
|-<br />
| Latitude 7390 ( 2-in-1 ) || 2019-02-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell Latitude E7440|Latitude E7440]] || 2019-05-11 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || ||<br />
|-<br />
| [https://www.dell.com/us/business/p/latitude-e7450-ultrabook/pd?oc=cal147w7pf2 Latitude E7450] || 2016-03-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Partial<sup>*</sup>}} || Modem: No<br/>Synaptics touchpad + stick. || <sup>*</sup>Hibernate does not work<br />
|-<br />
| [[Dell Latitude E7470|Latitude E7470]] || 2017-01-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Hibernate: Untested}} || || Buggy [[UEFI]] : impossible to pass kernel parameters via [[efibootmgr]], nor shell bcfg, nor the built-in gui.<br />
|-<br />
| [[Dell Latitude 3500|Latitude 3500]] || 2020-10-28 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || Fingerprint reader works with proprietary driver. || See linked article for more details<br />
|-<br />
| Latitude 5580 || 2017-11-06 (±) || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Yes<sup>*</sup>}} || || <sup>*</sup>Needs BIOS update (with [[fwupd]]) to avoid occasional black screen when resuming<br />
|-<br />
| Latitude 7420 || 2020-10 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{G|Yes<sup>*</sup>}} || || <sup>*</sup>See: https://github.com/intel/thermal_daemon/issues/341 <br />
|-<br />
| [[Dell Latitude 7480|Latitude 7480]] || 2019-11-07 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{R|No: IR Webcam<br/>Fingerprint reader}} ||<br />
|-<br />
| [[Dell Latitude 7490|Latitude 7490]] || 2019-05-11 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || ||<br />
|-<br />
| Latitude 5511 || 2020-10 || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || colspan=2 | Fix freezes with {{ic|1=nvme_core.default_ps_max_latency_us=0}}<br />
|-<br />
| [[Dell Latitude 3420|Latitude 3420]] || 2022-02-04 || {{Yes}} || {{G|[[Advanced Linux Sound Architecture#ALSA firmware|Yes*]]}} || {{Yes}}|| {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || || <br />
|}<br />
<br />
== Precision ==<br />
<br />
{{Laptops table header}}<br />
| Precision M4800 || 2014-04-01 || {{G|Yes<sup>*</sup>}} || {{Y|Untested}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || colspan=2 | <sup>*</sup>{{ic|nomodeset}} is ''required'' to boot.<br />
|-<br />
| Precision M6700 || 2017-01-01 || {{Yes}} || {{G|HDMI audio: Untested}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || colspan=2 | Occasional GPU freezes with "GPU has fallen off the bus" errors since kernel 4.14.15-1 and NVIDIA 387.34<br />
|-<br />
| Precision 7710 || 2017-11-01 || {{Yes}} || {{G|HDMI audio: Untested}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || colspan=2 | Suspend works without hard drive password.<br/>{{ic|xcalib -a -i}} is very slow.<br/>kernel≥5.12.9 or nvidia≥465.24.02-5 causes no display to be seen after X launches. DFP-2 shows as disconnected.<br />
|-<br />
| Precision 7760 || 2022-16-06 || {{Yes}} || {{G|HDMI audio: Untested}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || colspan=2 | Backlight control with Fn-keys does not change brightness, use xrandr. Hybrid GPU mode does not work (BIOS says unsupported on Linux) - system boots, but the virtual console where X is launched freezes - logs show all displays disconnected <br />
|-<br />
| Precision 5510 || 2020-04-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Hibernation: Untested}} || colspan=2 | Essentially the same device as the [[Dell XPS 15 (9550)]]<br />
|-<br />
| Precision 3530 || 2020-07-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Hibernation: Untested}} || colspan=2 | You need to disable early microcode loading. Upgrade Thunderbolt controller to latest firmware from Windows and optionally disable Thunderbolt security within the BIOS (e.g. for TB16 docking station).<br />
|-<br />
| Precision 5520 || 2018-02-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Hibernation: Untested}} || || <br />
|-<br />
| Precision 5530 || 2018-06-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Yes<sup>*</sup>}} || {{G|Hibernation: Untested}} || colspan=2 | <sup>*</sup>Needs occasional driver reloads with {{ic|modprobe btusb}}. Need to change sleep state as per [[Dell XPS 15 (9570)]]. <br />
|-<br />
| [[Dell Precision 5570|Precision 5570]] || 2022-05-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|}<br />
<br />
== Studio ==<br />
<br />
{{Laptops table header}}<br />
| Studio 1749 || 2013-01-04 || {{Yes}} || {{G|Yes<sup>*</sup>}} || {{Yes}} || {{Yes}} || {{-}} || {{G|Hibernate: Untested}} || || <sup>*</sup>Add {{ic|1=options snd-hda-intel index=0 model=dell-m6-dmic}} to {{ic|/etc/modprobe.d/alsa-base.conf}}<br />
|-<br />
| Studio XPS M1640 || 2009-08 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|}<br />
<br />
== Vostro ==<br />
<br />
{{Laptops table header}}<br />
| Vostro 1710 || 2018-11-26 || {{Y|Untested}} || {{Y|Untested}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || || <br />
|-<br />
| Vostro 5481 || 2019-11-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| Vostro 3583 || 2019-12-21 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || Reload {{ic|ath10k_pci}} after resuming from sleep if WiFi stops working<br />
|-<br />
| Vostro 3560 || 2020-02-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| Vostro 5590 || 2021-01-23 || {{Yes}} || {{G|[[Advanced Linux Sound Architecture#ALSA firmware|Yes*]]}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested}}|| ||<br />
|-<br />
| Vostro 7500 || 2020-10-16 || {{Yes}} || {{G|[[Advanced Linux Sound Architecture#ALSA firmware|Yes*]]}} || {{-}} || {{Yes}} || {{-}} || {{Y|Untested}} || {{R|No: Finger print scanner}} || UEFI does not pass kernel parameters on boot<br />
|}<br />
<br />
== XPS ==<br />
<br />
{{Laptops table header}}<br />
| XPS L322 || 2013-03 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || colspan=2 | ALPS Touchpad recognized only as PS/2 mouse, two-finger scroll, finger tap-to-click, etc... does not work.<br />
|-<br />
| [[Dell XPS M1330|XPS M1330]] || 2021-01 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Yes<sup>*</sup>}} || || <sup>*</sup>''acpi_cpufreq'' see: [https://bbs.archlinux.org/viewtopic.php?id=44500 forums]<br />
|-<br />
| [[Dell XPS 13 (9333)|XPS 13 (9333)]] || 2016-16-16 || {{Y|Untested}} || {{Y|Untested}} || {{-}} || {{Y|Untested}} || {{Y|Untested}} || {{Y|Untested}} || || <br />
|-<br />
| [[Dell XPS 13 (9310)|XPS 13 (9310)]] || 2016-16-16 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell XPS 13 (9343)|XPS 13 (9343)]] || 2016-16-16 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell XPS 13 (9350)|XPS 13 (9350)]] || 2016-11-16 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || Apply firmware updates<br />
|-<br />
| [[Dell XPS 13 (9360)|XPS 13 (9360)]] || 2016-11-16 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell XPS 13 (9370)|XPS 13 (9370)]] || 2018-05-29 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell XPS 13 (9380)|XPS 13 (9380)]] || 2019 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell XPS 13 2-in-1 (9365)|XPS 13 2-in-1 (9365)]] || 2017-10-22 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell XPS 13 (7390)|XPS 13 (7390)]] || 2019-12-21 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|Untested: Fingerprint sensor}} || <br />
|-<br />
| [[Dell XPS 13 2-in-1 (7390)|XPS 13 2-in-1 (7390)]] || 2019-09-01 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || {{R|No: Camera, Fingerprint Sensor}} || System freezes on boot. See device page for fix.<br />
|-<br />
| [[Dell XPS 15|XPS 15]] || 2016-11-17 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|-<br />
| [[Dell XPS 17 (9700)|XPS 17 (9700)]] || 2020-09-18 || {{Yes}} || {{Yes}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || || <br />
|}<br />
<br />
== G3 ==<br />
<br />
{{Laptops table header}}<br />
| G3 15 3590 || 2020-19-10 || {{Yes}} || {{G|[[Advanced Linux Sound Architecture#ALSA firmware|Yes*]]}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || [[CUDA]] is not working with Linux 5.9 || Works well with {{AUR|optimus-manager-git}}, follow their [https://github.com/Askannz/optimus-manager/wiki/A-guide--to-power-management-options#configuration-1--built-in-power-management-inside-the-nvidia-driver page on power management]. <br />
|}<br />
<br />
== G5 ==<br />
<br />
{{Laptops table header}}<br />
| [[Dell G5 5590-9340|G5 5590-9340]] || 2020-08-20 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{R|No: Fingerprint reader<sup>*</sup>}} || <sup>*</sup>drivers might be extracted from Ubuntu image of this laptop<br />
|}<br />
<br />
== G7 ==<br />
<br />
{{Laptops table header}}<br />
| G7 7700 || 2022-05-17 || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|Hibernate: Untested}} || {{R|No: Fingerprint reader}} || No fine backlight control, no RGB control<br />
|}<br />
<br />
== G15 ==<br />
<br />
{{Laptops table header}}<br />
| G15 5515 AMD EDITION || 2022-02-12 || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || {{Y|Untested}} || {{Yes}} || || Touchpad disables randomly on boot, create {{hc|/etc/modprobe.d/i2c-touchpad.conf|softdep i2c_hid pre: pinctrl_amd}}<br />
|-<br />
| G15 5511 || 2022-04-11 || {{Yes}} || {{G|Yes<sup>*</sup>}} || {{Yes}} || {{Yes}} || {{Y|Untested}} || {{Y|Untested}} || || <sup>*</sup>[https://askubuntu.com/questions/1220493/18-04-audio-realtek-alc3254-fails-on-new-dell-g3-15-3590?newreg=60fffc5843d74914a8d8de74e33c7114 needs kernel parameter]: {{ic|1=snd_hda_intel.dmic_detect=0}}</div>Kynikos