Talk:Bubblewrap

From ArchWiki

Todo

  • Expand upon Bash example as a means to verify the contents of the sandbox filesystem.
  • Explain why bubblewrap does not automatically create user namespaces when running with setuid privileges: bubblewrap drops all capabilities within a sandbox such that child tasks cannot gain greater privileges than its parent. The creation of a user namespace adds the SYS_CAP_ADMIN capability to sandboxed processes. The risk of providing SYS_CAP_ADMIN must be weighed against the benefit of isolating user-specific information (e.g. UID/GID) within a user namespace.

-- Adamlau (talk) 07:56, 17 January 2017 (UTC)

user namespaces only add SYS_CAP_ADMIN inside the namespace and bubblewrap drops all caps again before executing the sandboxed process. Since namespaces are designed to be used by unprivileged users by utilising user namespaces, this will actually be much safer then using it without user namespaces. Best case would be to use bwrap on a kernel with unprivileged user namespaces available, to allow it's use without suid. The actual reason bwrap does not use user namespaces by default when running with suid, is that there are some rare use cases that only work outside a user namespace. Those use cases already do not work when bwrap is not installed with suid. Valoq (talk) 10:14, 21 January 2017 (UTC)
  • Introduce seccomp filter generation through libseccomp and include example --seccomp usage.

-- Adamlau (talk) 07:56, 17 January 2017 (UTC)

  • Further differentiate examples? Is goal min examples with max diff? Or simply max examples regardless of duplicated options/values?

-- Adamlau (talk) 06:24, 20 January 2017 (UTC)

  • Introduce basic seccomp-bpf filters to restrict specific syscalls. Adamlau (talk) 18:45, 10 July 2020 (UTC)
  • Look into xdg-dbus-proxy as a currently maintained solution under Opening URLs from wrapped applications Adamlau (talk) 19:04, 10 July 2020 (UTC)

Suggestion

Would someone be willing to write a new section to describe how to launch Wine applications under bwrap? It seems like a more common use case than, say, skype-for-linux, and not giving much permissions to a Windows binary in your system is very attractive. --Icar (talk) 08:58, 7 July 2021 (UTC)

Restructure page

This whole page is a total mess will all these examples. Would it be alright to restructure this all and link to example scripts rather then have them directly on this page? I don't mind working on it but I would rather hear any objections before I put effort into it. Hellgirl323 (talk) 18:54, 2 December 2022 (UTC)

Where are the scripts that you would link to? You can provide the links in the talk page to give us an idea on the new structure. See also ArchWiki:Contributing#Announce article rewrites in a talk page. — Lahwaacz (talk) 12:00, 3 December 2022 (UTC)
Sorry, I went ahead with this without consulting here further. What does it take to get the restructure accepted? Is there anything in particular that was wrong with the restructure? Also, how do I propose a restructure without actually editing the page? Fluffyrabbit (talk) 12:24, 3 December 2022 (UTC)
You can make a Draft section below to propose a new structure for this page. It should be discussed before implementing it in the main namespace. — Lahwaacz (talk) 12:28, 3 December 2022 (UTC)
Please see the proposal below:
The current chapter 2 would be moved to Bubblewrap_Examples
Reasoning: This page should give an overview of what bubblewrap is and how it works, but the current structure is extremely confusing with a large collection of examples that show no consistency and rather specific use cases. To fix this, the proposal below would simply move the script collection to a different page and link to it as well as additional example script that are actually maintained. Fluffyrabbit (talk) 12:43, 3 December 2022 (UTC)
I've just renamed the page without leaving a redirect (since no pages other than this one were using it yet) and updated the draft accordingly.
I think having the content in Bubblewrap/Examples with Bubblewrap examples redirecting to it would be a cleaner solution, since this is already what is used for other pages (e.g. PulseAudio/Troubleshooting).
--Erus Iluvatar (talk) 14:25, 3 December 2022 (UTC)
So there are two parts: moving the current examples to a separate page and adding a link to external examples.
How do you define an "example" that needs to be separate? For example, Bubblewrap#No-op and Bubblewrap#Bash explain basic usage and are not themselves useful to run an application, so I would keep them on the main page.
Are there more projects that provide examples for bubblewrap? Does upstream have any examples? It would be useful to adjust the wording to encourage adding more links, e.g. use a list instead of just one link to "this".
Lahwaacz (talk) 09:05, 4 December 2022 (UTC)
Updated the proposal accordingly and added more external examples. There are a few more on Github but they do not look maintained. Simple examples from upstream are already linked in chapter 1. The bash Examples are also on the main page now. Fluffyrabbit (talk) 10:47, 4 December 2022 (UTC)
Is there anything that still needs to be addressed or is it ok to implement the proposal now? Fluffyrabbit (talk) 13:00, 4 December 2022 (UTC)
It looks good, thanks. — Lahwaacz (talk) 21:37, 5 December 2022 (UTC)

Draft proposal - Chapter 2: Usage examples

Please see Bubblewrap examples for examples on how bubblewrap can be used. Alternatively, there are various projects that demonstrate how bubblewrap can be used for common applications:

No-op

A no-op bubblewrap invocation is as follows:

$ bwrap --dev-bind / / bash

This will spawn a Bash process which should behave exactly as outside a sandbox in most cases. If a sandboxed program misbehaves, you may want to start from the above no-op invocation, and work your way towards a more secure configuration step-by-step.

Note: This operation will modify all the owner and group to nobody if the owner or group is not the current one, which suggests running some program like sudo will not work properly.

Bash

Create a simple Bash sandbox:

  • Determine available kernel namespaces
$ ls /proc/self/ns 
cgroup  ipc  mnt  net  pid  user uts
Note: The presence of user indicates that the kernel has exposed support for user namespaces with CONFIG_USER_NS=y
  • Bind as read-only the entire host / directory to / in the sandbox
  • Create a new user namespace and set the user ID to 256 and the group ID to 512
$ bwrap --ro-bind / / --unshare-user --uid 256 --gid 512 bash
bash-4.4$ id
uid=256 gid=512 groups=512,65534(nobody)
bash-4.4$ ls -l /usr/bin/bash
-rwxr-xr-x 1 nobody nobody 811752 2017-01-01 04:20 /usr/bin/bash