![]() This will spawn a Bash process which should behave exactly as outside a sandbox in most cases. Please see /Examples for examples on how bubblewrap can be used.Īlternatively, there are various projects that demonstrate how bubblewrap can be used for common applications:Ī no-op bubblewrap invocation is as follows: || not packaged? search in AUR Usage examples Bubblejail - Bubblewrap-based sandbox with resource-based permission model (provides GUI to tweak permissions).Instead of manually setting up the arguments a configuration manager can be used that configure bubblewrap automatically from a simpler configuration. It is highly recommended that you download strace to see what files the program you are trying to sandbox needs access to. Bubblewrap does not automatically create user namespaces when running with setuid privileges and can accommodate typical environment variables including $HOME and $USER. It is up to the user to determine which configuration options to pass in accordance to the application being sandboxed. Unlike applications such as Firejail which automatically set /var and /etc to read-only within the sandbox, Bubblewrap makes no such operating assumptions. See FS#63316 for more information.īubblewrap can be called directly from the command-line and/or within shell scripts as part of a complex wrapper. linux-hardened users may need to install bubblewrap-suid instead of the packages mentioned above. ![]() For information about user_namespaces(7) support in Arch Linux kernels see Security#Sandboxing applications. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |