Can ease of use be closer to that of firejail?

[o-jasper]

Firejail has profiles and provides lots of default ones. Analogous to the commandline arguments, as far as i can see.

To make things defaultly run with firejail, you symlink from a directory with priority in $PATH to /usr/bin/firejail and it uses argv[0] to select the relevant profile.

I am sure i am carrying water to the sea, i checked the (open/closed)issues, just a few mentioning firejail, so afaik no-one has asked in the issues at least.

[smcv]

bubblewrap isn't really designed to be a user-facing tool. It is setuid root (on some systems) and needs to remain minimal in order to be secure: each new feature is a potential privilege escalation opportunity.

Instead, bubblewrap designed to be used indirectly by user-facing tools like Flatpak. A Firejail-style application could be built around bubblewrap, but all the complexity that adds convenience should be outside the privileged part.

(And, yes, I'm aware that Firejail is both complex and setuid root. I think that's an inadvisable design, and a significant security risk: compare https://www.cvedetails.com/vulnerability-list/vendor_id-16191/product_id-36171/Firejail-Project-Firejail.html with https://www.cvedetails.com/vulnerability-list/vendor_id-16284/product_id-36870/Projectatomic-Bubblewrap.html.)

[o-jasper]

Thanks! Those concerns are basically why i am looking for an alternative. In some cases having firejail installed you might even be worse off..

So i suppose no-one has made firejail-like wrapper yet? Afaics, you wouldnt need suid for that.

Messing around with it, i was overthinking things.. It is pretty usable. Basically all i want is the default profiles and the argv[0] trick.. Perhaps someone else should just make a separate project doing that, close this issue if you want.

[smcv]

Perhaps someone else should just make a separate project doing that

Maybe you are the "someone" here? :-)

[valoq]

What you need is not a "wrapper" (bubblewrap is a wrapper for namespaces already) but simply a script that creates your sandboxed environment using bubblewrap features.

Here are some example scripts that show how use bubblewrap to create pretty much the same profiles as firejail does, except with some manual adjustments needed.
https://github.com/valoq/bwscripts

[o-jasper]

@valoq with those scripts, can you still use it with commandline arguments? Seems to me, not.

Annoyingly, $@ in shell scripts apparently can't quite do similar to alias, seems to insist on executing internals. Could have a file and source it.(edit: i mean getting aliases from ~/.bashrc or ~/.zshrc)

One (possibly minor)advantage of the ln -s trick is that you know it is just configuration files, whereas otherwise it could be anything. C is a bitch to program in.. I used Python.. It's more or less a proof of concept.

It searches for the corresponding configuration files -here just commandline arguments- in a list of paths, and configuration files can refer to other ones, where again it will look the same way. Edit: .. it adds arguments to the original program.. Need to instead add them to bwrap and then call the program via bwrap...

I'd be fine to use Python for this if it had a footprint of ~megabytes like lua or luajit, but its 130MB. (looking for lighter weight, micropython does 300K on one of the firmwares..

[o-jasper]

This code i am actually using.

Maybe i'll add an option to exclude all the suid files, try to convert aspects of /etc/firejail/,(I keep writing fox..) or even use pacman -Ql as a guide. Tho i do stuff in ~/iso/firefox/, ~/iso/games/ etcetera instead of blocking ~/.gnupg/ as firejail confs do.

[tredondo]

@madaidan said back in 2019 they were planning to write profiles for bubblewrap. I don't see a follow up on that at netblue30/firejail#3046 (comment).

[Maryse47]

https://gitlab.com/madaidan/sandbox

https://github.com/igo95862/bubblejail

https://github.com/darrenldl/sandboxing