Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download
コンテンツにスキップ
メインメニュー
メインメニュー
サイドバーに移動
非表示
案内
メインページ
目次
コミュニティに貢献
最近の出来事
おまかせ表示
特別ページ
交流
ヘルプ
貢献
最近の更新
最近の議論
新しいページ
統計
リクエスト
ArchWiki
検索
検索
表示
アカウント作成
ログイン
個人用ツール
アカウント作成
ログイン
Bubblewrap/例のソースを表示
ページ
議論
日本語
閲覧
ソースを閲覧
履歴を表示
ツール
ツール
サイドバーに移動
非表示
操作
閲覧
ソースを閲覧
履歴を表示
全般
リンク元
関連ページの更新状況
ページ情報
表示
サイドバーに移動
非表示
←
Bubblewrap/例
あなたには「このページの編集」を行う権限がありません。理由は以下の通りです:
この操作は、次のグループに属する利用者のみが実行できます:
登録利用者
。
このページのソースの閲覧やコピーができます。
[[Category:サンドボックス]] [[Category:サンドボックス]] [[en:Bubblewrap/Examples]] == dhcpcd == シンプルな [[dhcpcd]] のサンドボックスを作成: * 利用可能なカーネル名前空間を確認: $ ls /proc/self/ns cgroup ipc mnt net pid uts {{Note|{{Ic|user}} が存在しない場合、{{ic|1=CONFIG_USER_NS=n}} でカーネルのユーザー名前空間が無効になっているか使用が制限されています。}} * ホストの {{ic|/}} ディレクトリ全体を読み書き可能でサンドボックスの {{ic|/}} にバインド。 * 新しい devtmpfs ファイルシステムをサンドボックスの {{ic|/dev}} にマウント。 * 新しい [[wikipedia:Inter-process_communication|IPC]] 名前空間と[[Cgroups|コントロールグループ]]名前空間を作成。 * 新しい UTS 名前空間を作成して {{ic|dhcpcd}} をホストネームとして設定。 # /usr/bin/bwrap --bind / / --dev /dev --unshare-ipc --unshare-cgroup --unshare-uts --hostname dhcpcd /usr/bin/dhcpcd -q -b == Unbound == 粒度の細かい複雑な [[Unbound]] のサンドボックスを作成: * システムの {{ic|/usr}} ディレクトリを読み取り専用でサンドボックスの {{ic|/usr}} にバインド。 * システムの {{ic|/usr/lib}} ディレクトリからサンドボックスの {{ic|/lib64}} に対してシンボリックリンクを作成。 * システムの {{ic|/etc}} ディレクトリを読み取り専用でサンドボックスの {{ic|/etc}} にバインド。 * サンドボックスの中に空の {{ic|/var}} と {{ic|/run}} ディレクトリを作成。 * 新しい devtmpfs ファイルシステムをサンドボックスの {{ic|/dev}} にマウント。 * 新しい IPC 名前空間と [[wikipedia:Process_identifier|PID]] 名前空間とコントロールグループ名前空間を作成。 * 新しい UTS 名前空間を作成して {{ic|unbound}} をホストネームとして設定。 # /usr/bin/bwrap --ro-bind /usr /usr --symlink usr/lib /lib64 --ro-bind /etc /etc --dir /var --dir /run --dev /dev --unshare-ipc --unshare-pid --unshare-cgroup --unshare-uts --hostname unbound /usr/bin/unbound -d {{Tip|{{ic|unbound.service}} などの systemd ユニットファイルを bubblewrap する方法は [[systemd#ユニットファイルの編集]] を見てください。}} == Desktop == [[デスクトップエントリ]]で bubblewrap を活用: * ホストの {{ic|/}} ディレクトリ全体を読み書き可能でサンドボックスの {{ic|/}} にバインド。 * サンドボックスの {{ic|/var}} と {{ic|/etc}} ディレクトリを読み取り専用で再バインド * 新しい devtmpfs ファイルシステムをサンドボックスの {{ic|/dev}} にマウント。 * サンドボックスの {{ic|/run}} ディレクトリに tmpfs ファイルシステムを作成。 * 新しいネットワーク名前空間を作成してネットワークアクセスを無効化。 [Desktop Entry] Name=nano Editor Exec=bwrap --bind / / --dev /dev --tmpfs /run --unshare-net st -e nano -o . %f Type=Application MimeType=text/plain; {{Note|{{Ic|/dev/pty}} に書き込むには {{Ic|--dev /dev}} が必要です。}} * {{Ic|mupdf.sh}} シェルラッパーを組み込んだ MuPDF のデスクトップエントリの例: [Desktop Entry] Name=MuPDF Exec=mupdf.sh %f Icon=application-pdf.svg Type=Application MimeType=application/pdf;application/x-pdf; {{Note|{{Ic|mupdf.sh}} は PATH が通った場所に配置してください。例: {{Ic|1=PATH=$PATH:$HOME/bwrap}}}} == MuPDF == {{Accuracy|Forwarding the X11 socket may lead to a sandbox escape}} The power and flexibility of ''bwrap'' is best revealed when used to create an environment within a shell wrapper: * Bind as read-only the host {{ic|/usr/bin}} directory to {{ic|/usr/bin}} in the sandbox * Bind as read-only the host {{ic|/usr/lib}} directory to {{ic|/usr/lib}} in the sandbox * Create a symbolic link from the system {{ic|/usr/lib}} directory to {{ic|/lib64}} in the sandbox * Create a [[tmpfs]] filesystem overlaying {{ic|/usr/lib/gcc}} in the sandbox ** This effectively [[wikipedia:Blacklist_(computing)|blacklists]] the contents of {{ic|/usr/lib/gcc}} from appearing in the sandbox * Create a new tmpfs filesystem as the {{ic|$HOME}} directory in the sandbox * Bind as read-only an {{Ic|.Xauthority}} file and ''Documents'' directory into the sandbox ** This effectively whitelists the {{Ic|.Xauthority}} file and ''Documents'' directory with recursion * Create a new tmpfs filesystem as the {{ic|/tmp}} directory in the sandbox * Whitelist the [[wikipedia:X_Window_System|X11]] socket by binding it into the sandbox as read-only * Clone and create private containers for all namespaces supported by the running kernel ** If the kernel does not support non-privileged user namespaces, skip its creation and continue * Do not place network components into a private namespace ** This allows for network access to follow URI hyperlinks #!/bin/sh #~/bwrap/mupdf.sh (exec bwrap \ --ro-bind /usr/bin /usr/bin \ --ro-bind /usr/lib /usr/lib \ --symlink usr/lib /lib64 \ --tmpfs /usr/lib/gcc \ --tmpfs $HOME \ --ro-bind $HOME/.Xauthority $HOME/.Xauthority \ --ro-bind $HOME/Documents $HOME/Documents \ --tmpfs /tmp \ --ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \ --unshare-all \ --share-net \ /usr/bin/mupdf "$@") {{Tip|Execute a shell wrapper substituting the existing executable with ''/usr/bin/sh'' to debug and verify the contents and filesystem structure of the sandbox.}} $ bwrap \ --ro-bind /usr/bin /usr/bin \ --ro-bind /usr/lib /usr/lib \ --symlink usr/lib /lib64 \ --tmpfs /usr/lib/gcc \ --tmpfs $HOME \ --ro-bind $HOME/.Xauthority $HOME/.Xauthority \ --ro-bind $HOME/Desktop $HOME/Desktop \ --tmpfs /tmp \ --ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \ --unshare-all \ --share-net \ /usr/bin/sh bash-4.4$ ls -AF .Xauthority Documents/ Perhaps the most important rule to consider when building a bubblewrapped filesystem is that ''commands are executed in the order they appear''. From the [https://mupdf.com/ MuPDF] example above: * A tmpfs system is created followed by the bind mounting of an {{Ic|.Xauthority}} file and a ''Documents'' directory: --tmpfs $HOME \ --ro-bind $HOME/.Xauthority $HOME/.Xauthority \ --ro-bind $HOME/Documents $HOME/Documents \ bash-4.4$ ls -a . .. .Xauthority Desktop * A tmpfs filesystem is created after the bind mounting of {{Ic|.Xauthority}} and overlays it so that only the ''Documents'' directory is visible within the sandbox: --ro-bind $HOME/.Xauthority $HOME/.Xauthority \ --tmpfs $HOME \ --ro-bind $HOME/Desktop $HOME/Desktop \ bash-4.4$ ls -a . .. Desktop == p7zip == Applications which have not yet been patched against [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296 known vulnerabilities] constitute prime candidates for bubblewrapping: * Bind as read-only the host {{ic|/usr/bin/7za}} executable path to the sandbox * Create a symbolic link from the system {{ic|/usr/lib}} directory to {{ic|/lib64}} in the sandbox * Blacklist the sandboxed contents of {{ic|/usr/lib/modules}} and {{ic|/usr/lib/systemd}} with tmpfs overlays * Mount a new devtmpfs filesystem to {{ic|/dev}} in the sandbox * Bind as read-write the host {{ic|/sandbox}} directory to the {{ic|/sandbox}} directory in the sandbox ** ''7za'' will only run in the host {{ic|/sandbox}} directory and/or its subdirectories when called from the shell wrapper * Create new cgroup/IPC/network/PID/UTS namespaces for the application and its processes ** If the kernel does not support non-privileged user namespaces, skip its creation and continue ** Creation of a new network namespace prevents the sandbox from obtaining network access * Add a custom or an arbitrary [[hostname]] to the sandbox such as {{ic|p7zip}} * Unset the {{ic|XAUTHORITY}} [[environment variable]] to hide the location of the X11 connection cookie ** ''7za'' does not need to connect to an X11 display server to function properly * Start a new terminal session to prevent keyboard input from escaping the sandbox #!/bin/sh #~/bwrap/pz7ip.sh (exec bwrap \ --ro-bind /usr/bin/7za /usr/bin/7za \ --symlink usr/lib /lib64 \ --tmpfs /usr/lib/modules \ --tmpfs /usr/lib/systemd \ --dev /dev \ --bind /sandbox /sandbox \ --unshare-all \ --hostname p7zip \ --unsetenv XAUTHORITY \ --new-session \ /usr/bin/7za "$@") {{Note|''/usr/bin/sh'' and ''/usr/bin/ls'' must reside in the executable path in order to traverse and verify the sandbox filesystem.}} bwrap \ --ro-bind /usr/bin/7za /usr/bin/7za \ '''--ro-bind /usr/bin/ls /usr/bin/ls \''' '''--ro-bind /usr/bin/sh /usr/bin/sh \''' --symlink usr/lib /lib64 \ --tmpfs /usr/lib/modules \ --tmpfs /usr/lib/systemd \ --dev /dev \ --bind /sandbox /sandbox \ --unshare-all \ --hostname p7zip \ --unsetenv XAUTHORITY \ --new-session \ /usr/bin/sh bash: no job control in this shell bash-4.4$ ls -AF dev/ lib64@ usr/ bash-4.4$ ls -l /usr/lib/modules total 0 bash-4.4$ ls -l /usr/lib/systemd total 0 bash-4.4$ ls -AF /dev console full null ptmx@ pts/ random shm/ stderr@ stdin@ stdout@ tty urandom zero bash-4.4$ ls -A /usr/bin 7za ls sh == Firefox == Network facing applications with large surface attack areas are also ideal candidates to be bubblewrapped: * [[Transmission]] included in the sandbox to launch with magnet and torrent links * Example wrap supports audio ([[PulseAudio]]) and printing ([[CUPS]]/[[Avahi]]) under [[GNOME]] ([[Wayland]]) ** Paths in {{ic|~/.config/transmission/settings.json}} should reflect the {{ic|--setenv HOME}} variable * Full paths are used to allow for keyboard bindings in environments which do not support variable expansion. * [[Firefox#Hardware video acceleration|WebRenderer]] and hardware (accelerated) compositing support included bwrap \ --symlink usr/lib /lib \ --symlink usr/lib64 /lib64 \ --symlink usr/bin /bin \ --symlink usr/bin /sbin \ --ro-bind /usr/lib /usr/lib \ --ro-bind /usr/lib64 /usr/lib64 \ --ro-bind /usr/bin /usr/bin \ --ro-bind /usr/lib/firefox /usr/lib/firefox \ --ro-bind /usr/share/applications /usr/share/applications \ --ro-bind /usr/share/gtk-3.0 /usr/share/gtk-3.0 \ --ro-bind /usr/share/fontconfig /usr/share/fontconfig \ --ro-bind /usr/share/icu /usr/share/icu \ --ro-bind /usr/share/drirc.d /usr/share/drirc.d \ --ro-bind /usr/share/fonts /usr/share/fonts \ --ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \ --ro-bind /usr/share/glvnd /usr/share/glvnd \ --ro-bind /usr/share/icons /usr/share/icons \ --ro-bind /usr/share/libdrm /usr/share/libdrm \ --ro-bind /usr/share/mime /usr/share/mime \ --ro-bind /usr/share/X11/xkb /usr/share/X11/xkb \ --ro-bind /usr/share/icons /usr/share/icons \ --ro-bind /usr/share/mime /usr/share/mime \ --ro-bind /etc/fonts /etc/fonts \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \ --ro-bind /etc/ssl /etc/ssl \ --ro-bind /etc/ca-certificates /etc/ca-certificates \ --dir /run/user/"$(id -u)" \ --ro-bind /run/user/"$(id -u)"/pulse /run/user/"$(id -u)"/pulse \ --ro-bind /run/user/"$(id -u)"/wayland-1 /run/user/"$(id -u)"/wayland-1 \ --dev /dev \ --dev-bind /dev/dri /dev/dri \ --ro-bind /sys/dev/char /sys/dev/char \ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \ --proc /proc \ --tmpfs /tmp \ --bind /home/example/.mozilla /home/example/.mozilla \ --bind /home/example/.config/transmission /home/example/.config/transmission \ --bind /home/example/Downloads /home/example/Downloads \ --setenv HOME /home/example \ --setenv GTK_THEME Adwaita:dark \ --setenv MOZ_ENABLE_WAYLAND 1 \ --setenv PATH /usr/bin \ --hostname RESTRICTED \ --unshare-all \ --share-net \ --die-with-parent \ --new-session \ /usr/bin/firefox === Enhancing privacy === * Further restrictions can be made by removing specific entries ** Remove the following entry to remove audio support: --ro-bind /run/user/"$(id -u)"/pulse /run/user/"$(id -u)"/pulse \ * {{ic|/sandbox}} represents an arbitrary location defined by the user to hold desired profile information ** This allows for the use of a [[Firefox/Privacy#Sanitized profiles|sanitized profile]] copied into {{ic|/sandbox}} via a script/cron job or manually e.g. $ cp -pR ~/.mozilla /sandbox/ The location can be a network share, a USB mount, or a local filesystem or [[Firefox/Profile on RAM|ramfs/tmpfs location]] * Set {{ic|/home/r}} to obscure the actual {{ic|/home/example}} * Set new user ID and group ID values {{Note|Ensure that the selected UID and GID does not conflict with existing values listed in {{ic|/etc/passwd}} and {{ic|/etc/groups}}.}} bwrap \ .... --bind /sandbox/.mozilla /home/r/.mozilla \ --bind /sandbox/Downloads /home/r/Downloads \ ... --setenv HOME /home/r \ ... --uid 200 --gid 400 \ ... /usr/bin/firefox --no-remote --private-window == Chromium == A simple chromium sandbox on wayland and with pipewire: {{bc|1= bwrap \ --symlink usr/lib /lib \ --symlink usr/lib64 /lib64 \ --symlink usr/bin /bin \ --symlink usr/bin /sbin \ --ro-bind /usr/lib /usr/lib \ --ro-bind /usr/lib64 /usr/lib64 \ --ro-bind /usr/bin /usr/bin \ --ro-bind /etc /etc \ --ro-bind /usr/lib/chromium /usr/lib/chromium \ --ro-bind /usr/share /usr/share \ --dev /dev \ --dev-bind /dev/dri /dev/dri \ --proc /proc \ --ro-bind /sys/dev/char /sys/dev/char \ --ro-bind /sys/devices /sys/devices \ --ro-bind /run/dbus /run/dbus \ --dir "$XDG_RUNTIME_DIR" \ --ro-bind "$XDG_RUNTIME_DIR/wayland-1" "$XDG_RUNTIME_DIR/wayland-1" \ --ro-bind "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0" \ --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse" \ --tmpfs /tmp \ --dir $HOME/.cache \ --bind $HOME/.config/chromium $HOME/.config/chromium \ --bind $HOME/Downloads $HOME/Downloads \ /usr/bin/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland }} {{Warning|If you are using the {{pkg|linux-hardened}} kernel, you will not be able to use bubblewrap to sandbox chromium due to the {{ic|kernel.unprivileged_userns_clone}} [[sysctl]] being set to 0. You can set it to 1, however, this is not recommended {{Bug|36969}}. One alternative solution is to have chromium use the namespace created by bubblewrap. This can be achieved through {{AUR|zypak}} which is also used by flatpak to run electron based apps inside an additional namespace. Example code that demonstrates how to use zypak with chromium/electron can be found [https://github.com/valoq/bwscripts/blob/master/profiles/signal-desktop here] }} * [[PipeWire]]: {{ic|--ro-bind "/run/user/$(id -u)/pipewire-0" "/run/user/$(id -u)/pipewire-0" \}} ** If you are not using pipewire, feel free to remove this line * {{ic|--bind $HOME/.config/chromium $HOME/.config/chromium \}} mounts your chromium configuration directory in the sandbox as readable and writable * {{ic|--bind $HOME/Downloads $HOME/Downloads \}} mounts your ~/Downloads directory in the sandbox as readable and writable * This example can be further improved for more isolation. == Skype for Linux == {{Accuracy|Forwarding the X11 and/or DBus sockets may lead to a sandbox escape}} {{AUR|skypeforlinux-stable-bin}} should be started with {{ic|/usr/share/skypeforlinux/skypeforlinux}} instead of {{ic|/usr/bin/skypeforlinux}}, because the latter is just a wrapper script which forks the main process in the background and terminates, which conflicts with the {{ic|--die-with-parent}} ''bwrap'' option. The following example provides these features: * {{ic|env -i}} ensures that all environment variables are unset. * Network is shared with the host ({{ic|--share-net}}), {{ic|/etc/resolv.conf}} is bind-mounted. * [[Xorg]] access: bind the {{ic|/tmp/.X11-unix/X0}} socket, set {{ic|$DISPLAY}}. * [[D-Bus]]: bind the {{ic|/run/user/$UID/bus}} socket, set {{ic|$DBUS_SESSION_BUS_ADDRESS}}. * Audio: bind the [[PulseAudio]] socket. * Video: dev-bind the {{ic|/dev/video0}} device. The directory on the host where you want to keep the Skype profile can be configured with {{ic|$HOST_PROFILE_PATH}}. {{bc|1= env -i bwrap \ --ro-bind /usr /usr \ --dir /home/r \ --dir /tmp \ --dir /var \ --dir /run/user/$UID \ --proc /proc \ --dev /dev \ --symlink usr/lib /lib \ --symlink usr/lib64 /lib64 \ --symlink usr/bin /bin \ --symlink usr/sbin /sbin \ --symlink ../tmp /var/tmp \ --bind "$HOST_PROFILE_PATH" /home/r/.config/skypeforlinux \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \ --ro-bind /run/user/$UID/bus /run/user/$UID/bus \ --ro-bind /run/user/$UID/pulse /run/user/$UID/pulse \ --dev-bind /dev/video0 /dev/video0 \ --chdir / \ --unshare-all \ --share-net \ --hostname RESTRICTED \ --die-with-parent \ --new-session \ --setenv PATH /usr/bin \ --setenv HOME /home/r \ --setenv XDG_RUNTIME_DIR "/run/user/$UID" \ --setenv DISPLAY "$DISPLAY" \ --setenv DBUS_SESSION_BUS_ADDRESS "unix:path=/run/user/$UID/bus" \ /usr/share/skypeforlinux/skypeforlinux }} == Steam == {{Accuracy|Forwarding the X11 and/or DBus sockets may lead to a sandbox escape}} A simple Steam sandbox {{bc|1= #!/usr/bin/bash set -e STEAM_HOME="$HOME/.local/share/steam_sandbox" RUN_USER="/run/user/$UID" mkdir -p "$STEAM_HOME" _bind() { _bind_arg=$1 shift for _path in "$@"; do args+=("$_bind_arg" "$_path" "$_path") done } bind() { _bind --bind-try "$@" } robind() { _bind --ro-bind-try "$@" } devbind() { _bind --dev-bind-try "$@" } args=( --tmpfs /tmp --proc /proc --dev /dev --dir /etc --dir /var --dir "$RUN_USER" --bind "$STEAM_HOME" "$HOME" --dir "$HOME" --dir "$XDG_CONFIG_HOME" --dir "$XDG_CACHE_HOME" --dir "$XDG_DATA_HOME" --dir "$XDG_STATE_HOME" --symlink /usr/lib /lib --symlink /usr/lib /lib64 --symlink /usr/bin /bin --symlink /usr/bin /sbin --symlink /run /var/run ) robind \ /usr \ /etc \ /opt \ /sys \ /var/empty \ /var/lib/alsa \ /var/lib/dbus \ "$RUN_USER/systemd/resolve" devbind \ /dev/dri \ /dev/nvidia* \ # steam bind \ "$HOME/.Xauthority" \ "$HOME/.local/bin/proton" \ "$HOME/.pki" \ "$HOME/.steam" \ "$HOME/.steampath" \ "$HOME/.steampid" \ "$HOME/Downloads" \ "$RUN_USER"/.mutter-X* \ "$RUN_USER"/ICE* \ "$RUN_USER"/dbus* \ "$RUN_USER"/gnome* \ "$RUN_USER"/pipewire* \ "$RUN_USER"/pulse* \ "$RUN_USER"/wayland* \ "$RUN_USER/at-spi" \ "$RUN_USER/bus" \ "$RUN_USER/dconf" \ "$RUN_USER/systemd" \ "$XDG_CACHE_HOME/mesa_shader_cache" \ "$XDG_CACHE_HOME/nv" \ "$XDG_CACHE_HOME/nvidia" \ "$XDG_CACHE_HOME/radv_builtin_shaders64" \ "$XDG_CONFIG_HOME/Epic" \ "$XDG_CONFIG_HOME/Loop_Hero" \ "$XDG_CONFIG_HOME/MangoHud" \ "$XDG_CONFIG_HOME/ModTheSpire" \ "$XDG_CONFIG_HOME/RogueLegacy" \ "$XDG_CONFIG_HOME/RogueLegacyStorageContainer" \ "$XDG_CONFIG_HOME/cef_user_data" \ "$XDG_CONFIG_HOME/proton" \ "$XDG_CONFIG_HOME/pulse" \ "$XDG_CONFIG_HOME/unity3d" \ "$XDG_DATA_HOME/3909/PapersPlease" \ "$XDG_DATA_HOME/Colossal Order" \ "$XDG_DATA_HOME/Dredmor" \ "$XDG_DATA_HOME/FasterThanLight" \ "$XDG_DATA_HOME/HotlineMiami" \ "$XDG_DATA_HOME/IntoTheBreach" \ "$XDG_DATA_HOME/Paradox Interactive" \ "$XDG_DATA_HOME/PillarsOfEternity" \ "$XDG_DATA_HOME/RogueLegacy" \ "$XDG_DATA_HOME/RogueLegacyStorageContainer" \ "$XDG_DATA_HOME/Steam" \ "$XDG_DATA_HOME/SuperHexagon" \ "$XDG_DATA_HOME/Terraria" \ "$XDG_DATA_HOME/applications" \ "$XDG_DATA_HOME/aspyr-media" \ "$XDG_DATA_HOME/bohemiainteractive" \ "$XDG_DATA_HOME/cdprojektred" \ "$XDG_DATA_HOME/feral-interactive" \ "$XDG_DATA_HOME/frictionalgames" \ "$XDG_DATA_HOME/icons" \ "$XDG_DATA_HOME/proton" \ "$XDG_DATA_HOME/vpltd" \ "$XDG_DATA_HOME/vulkan" \ "/var/lib/bluetooth" \ /run/systemd \ /tmp/.ICE-unix \ /tmp/.X11-unix exec bwrap "${args[@]}" /usr/lib/steam/steam "$@" }} == Filesystem isolation == {{Warning|It is the bubblewrap user’s responsibility to update the filesystem trees regularly.}} To further hide the contents of the file system (such as those in {{ic|/var}}, {{ic|/usr/bin}} and {{ic|/usr/lib}}) and to sandbox even the installation of software, pacman can be made to install Arch packages into isolated filesystem trees. In order to use pacman for installing software into the filesystem trees, you will need to install {{Pkg|fakeroot}} and {{Pkg|fakechroot}}. Suppose you want to install the {{ic|xterm}} package with pacman into an isolated filesystem tree. You should prepare your tree like this: $ MYPACKAGE=xterm $ mkdir -p ~/sandboxes/${MYPACKAGE}/files/var/lib/pacman $ mkdir -p ~/sandboxes/${MYPACKAGE}/files/etc $ cp /etc/pacman.conf ~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf You may want to edit {{ic|~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf}} and adjust the pacman configuration used: * Remove any undesired custom repositories and {{ic|IgnorePkg}}, {{ic|IgnoreGroup}}, {{ic|NoUpgrade}} and {{ic|NoExtract}} settings that are needed only for the host system. * You may need to remove the {{ic|CheckSpace}} option so pacman will not complain about errors finding the root filesystem for checking disk space. Then install the {{ic|base}} group along with the needed fakeroot into the isolated filesystem tree: $ fakechroot fakeroot pacman -Syu \ --root ~/sandboxes/${MYPACKAGE}/files \ --dbpath ~/sandboxes/${MYPACKAGE}/files/var/lib/pacman \ --config ~/sandboxes/${MYPACKAGE}/files/etc/pacman.conf \ base fakeroot Since you will be repeatedly calling bubblewrap with the same options, make an alias: $ alias bw-install='bwrap \ --bind ~/sandboxes/${MYPACKAGE}/files/ / \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --tmpfs /tmp \ --proc /proc \ --dev /dev \ --chdir / ' You will need to set up the [[Locale|locales]] by [[textedit|editing]] {{ic|~/sandboxes/${MYPACKAGE}/files/etc/locale.gen}} and running: $ bw-install locale-gen Then set up pacman’s keyring: $ bw-install fakeroot pacman-key --init $ bw-install fakeroot pacman-key --populate Now you can install the desired {{ic|xterm}} package. $ bw-install fakeroot pacman -S ${MYPACKAGE} If the pacman command fails here, try running the command for populating the keyring again. Congratulations. You now have an isolated filesystem tree containing {{ic|xterm}}. You can use {{ic|bw-install}} again to upgrade your filesystem tree. You can now run your software with bubblewrap. {{ic|''command''}} should be {{ic|xterm}} in this case. $ bwrap \ --ro-bind ~/sandboxes/${MYPACKAGE}/files/ / \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --tmpfs /tmp \ --proc /proc \ --dev /dev \ --chdir / \ ''command'' Note that some files can be shared between packages. You can hardlink to all files of an existing parent filesystem tree to reuse them in a new tree: $ cp -al ~/sandboxes/${MYPARENTPACKAGE} ~/sandboxes/${MYPACKAGE} Then proceed with the installation as usual by calling pacman from {{ic|bw-install fakechroot fakeroot pacman ...}}.
このページで使用されているテンプレート:
テンプレート:AUR
(
ソースを閲覧
)
テンプレート:Accuracy
(
ソースを閲覧
)
テンプレート:Bc
(
ソースを閲覧
)
テンプレート:Bug
(
ソースを閲覧
)
テンプレート:Ic
(
ソースを閲覧
)
テンプレート:META Message
(
ソースを閲覧
)
テンプレート:Note
(
ソースを閲覧
)
テンプレート:Pkg
(
ソースを閲覧
)
テンプレート:Tip
(
ソースを閲覧
)
テンプレート:Warning
(
ソースを閲覧
)
Bubblewrap/例
に戻る。
検索
検索
Bubblewrap/例のソースを表示
話題を追加