Bubblejailのソースを表示

[[Category:サンドボックス]]
[[en:Bubblejail]]
{{Related articles start}}
{{Related|Bubblewrap}}
{{Related|セキュリティ}}
{{Related articles end}}
[https://github.com/igo95862/bubblejail Bubblejail] は、[[Bubblewrap]] ベースのサンドボックスユーティリティです。

Bubblejail はリソース指向のパーミッションモデルを持っています。例えば、[[x11]] はサンドボックスに追加することができるリソースです。これにより、サンドボックスは X11 ディスプレイサーバにアクセスできるようになります。

Bubblejail はまた、セキュリティと許可モデルを強化するために seccomp と D-Bus フィルタリングを使用しています。

Bubblejailは、サンドボックスの作成と設定を可能にするグラフィカルなインターフェイスも備えています。

== インストール ==

{{AUR|bubblejail}} または {{AUR|bubblejail-git}} をインストールして下さい。

== 使い方 ==

Bubblejail のサンドボックスは、インスタンスに分離されています。各インスタンスは、独立したホームディレクトリとパーミッションの設定です。

各インスタンスは通常1つのアプリケーションをサンドボックス化します。

=== Creating Instances ===

New instances are usually created from an available profiles. The profile is initial set of permissions and the desktop entry used. If a specific application is missing the profile a {{ic|generic}} profile or empty profile can be used and tweaked after creation.

{{Note|The used profile only determines the initial set of permissions. Permissions can be freely modified after creation.}}

==== Using graphical interface ====

Run the '''Bubblejail Configuration''' application. On the first screen at the bottom there will be Create Instance button.

==== Using command line ====

For example, creating a [[Firefox]] instance:

 $ bubblejail create --profile firefox ''instance_name''

=== Running instance ===

==== Using desktop entry ====

When creating an instance a [[desktop entry]] will be generated unless {{ic|--no-desktop-entry}} option was used.

Desktop entry would have the ''instance_name bubble'' name and can be launched from the desktop environment.

==== Using command line ====

Once created the instance can be run with {{ic|run}} subcommand:

 $ bubblejail run ''instance_name'' ''args''

If no arguments are passed when the default arguments will be used based on the profile used.

If ''args'' are passed when those arguments will be executed inside the sandbox. First argument should be the binary name and following arguments will be passed to this binary.

== Configuration ==

Once the instance has been created its permissions and resources can be modified. For modified permissions to take effect the sandbox needs to be restarted.

The profile used when creating sandbox only affect the initial set of permissions. However, removing certain permissions might prevent targeted application from working correctly.

=== Using graphical interface ===

Run the '''Bubblejail Configuration''' application. On the first screen click on the name of the sandbox you want to modify. This will bring up the list of all available permissions and a Save button.

=== Using command line ===

Bubblejail provides {{ic|edit}} command that will open the configuration file in the editor defined {{ic|EDITOR}} [[Environment variables]].

 $ bubblejail edit ''instance_name''

Bubblejail uses [https://toml.io/en/ TOML] for its configuration. The defined dictionaries gives permission for a specific resource and key value pairs inside dictionaries will set a specific resource settings.

For example:

{{bc|1=[x11]

[home_share]
home_paths = [ "Downloads",]
}}

This config defines two resources available to sandbox: the [[x11]] windowing system and shares the ''Downloads'' directory in the home folder.

The available services and options are documented in {{ic|bubblejail.services}} [[man|man page]].

== Tips and tricks ==

=== Running terminal inside sandbox ===

Using {{ic|run}} command a terminal can be launched inside already running sandbox. The terminal can be used to debug the sandbox.

It is recommended to use the terminal application that requires minimal amount of permissions such as [[Alacritty]] which only requires access to windowing system. (either [[x11]] or [[wayland]])

 $ bubblejail run ''instance_name'' alacritty

=== Re-using profile for similar applications ===

If an application is missing a profile but there is a related software with existing profile that profile can be used.

For example, {{ic|chromium}} profile can be used on any chromium derived browser such as [[qutebrowser]].

First, generate the instance using {{ic|chromium}} profile but disable the desktop entry creation.

 $ bubblejail create --no-desktop-entry --profile chromium qutebrowser

Now a desktop entry can be created from the qutebrowser's [[desktop entry]].

 bubblejail generate-desktop-entry --desktop-entry /usr/share/applications/org.qutebrowser.qutebrowser.desktop qutebrowser

Now the sandboxed qutebrowser can be launched with '''qutebrowser bubble''' desktop entry.

== See also ==

* [https://github.com/igo95862/bubblejail Bubblejail home page]