Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some review based on reading the bubblejail script #2

Open
rusty-snake opened this issue Feb 12, 2023 · 3 comments
Open

Some review based on reading the bubblejail script #2

rusty-snake opened this issue Feb 12, 2023 · 3 comments

Comments

@rusty-snake
Copy link

bubblejail/bubblejail

Line 189 in 82869d3

_need_path_rw+=" $XDG_RUNTIME_DIR/${WAYLAND_DISPLAY:-wayland-0}"

In theory WAYLAND_DISPLAY can contain an absolute path, though it's very uncommon.

Pulseaudio requires /etc/machine-id.

bubblejail/bubblejail

Line 268 in 82869d3

--as-pid-1 \

This can cause trouble with some programs and I see no good reason why it should be the default. Is there any reason why you added it as default.

There is no way to share a device (say /dev/video0). Exposing bwrap's --dev-bind[-try] would be helpful.

bubblejail/bubblejail

Lines 262 to 264 in 82869d3

--tmpfs /run \
--tmpfs /tmp \
--tmpfs /var \

Those flags can be replaced by --dir because / is already an tmpfs.

--new-session is important unless you have an replacement in form of an seccomp filter.

seccomp is important! even if it is complicated.
Piraty added a commit that referenced this issue Feb 17, 2023
@Piraty
use bwrap --new-session to prevent tty hijacking
ed062f6 
`man bwrap`
> Create a new terminal session for the sandbox (calls setsid()).

https://www.openwall.com/lists/oss-security/2017/06/03/9
ncopa/su-exec#23
tianon/gosu#37
https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking

Relates-to: #2
@Piraty
Copy link
Owner

Piraty commented Feb 17, 2023

thank you for your feedback.

wayland

you are right, as per https://gitlab.freedesktop.org/wayland/wayland/-/blob/a782152de0f0/src/wayland-client.c#L1217

Pulseaudio requires /etc/machine-id

i'm pretty sure it works as is, see teams wrapper or try bubblejail mpv ...

--as-pid-1

i didn't run into trouble yet and remember quite the opposite. but my memory is vague here...

share a device

you can do this today by appending the bwrap args right after bubblejail args

bubblejail --wayland --dev-bind-try /dev/urandom /rustyrandom file /rustyrandom

new-session

you are right, thanks. see ed062f6

seccomp

i'll glady accept patches ;-)

@rusty-snake
Copy link
Author

Pulseaudio requires /etc/machine-id

Maybe PA behaves differently in Void Linux or PA changed in newer versions. At least older versions of pulseaudio (!= piprewire-pulse) in Debian/Ubuntu/Fedora/Arch/... required it.

seccomp

Dumping some links of other implementations FTR

@rusty-snake
Copy link
Author

--as-pid-1

Good summary: https://vagga.readthedocs.io/en/latest/pid1mode.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Piraty @rusty-snake