Talk:Bubblewrap/Examples

Various of the examples forward the X11 or DBus sockets without any kind of filtering. I believe this allows for sandbox escapes (see e.g. https://github.com/netblue30/firejail/issues/796, https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html).

At the minimum those weaknesses should be mentioned (EDIT: The X11 weakness is already mentioned in the main Bubblewrap article, but not the DBus one). Ideally safe configurations should be provided (for X11: either avoiding X11 forwarding altogether or using Xephyr/Xpra, for DBus: using xdg-dbus-proxy).

—This unsigned comment is by Joanbrugueram (talk) 02:30, 22 January 2023. Please sign your posts with ~~~~!