Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sample profiles for common software #155

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add sample profiles for common software #155

wants to merge 1 commit into from

Conversation

PACHAKUTlQ
Copy link

Add profiles for common software

Add profiles for Chromium Wayland, Localsend, Telegram desktop, Thunderbird, Tor browser, Typora and Zotero.

Warning

As there are no guides of writing sample profiles, I wrote them based on the services.toml in bubblejail instance folders. There are differences between services.toml and the toml configs of sample profiles, so I wrote these based on existing profiles, but am not sure they are all correct.

The services.toml in bubblejail instance folders all work on Arch Linux and latest Ubuntu, but the sample profiles ARE NOT fully tested, as I don't want to mess up with my local sandbox environments which took very much trouble to config. Please test before merge.

All the added profiles use wayland if possible and has least access to privileges and paths.

Some software like Chromium and Chromium-based browsers and APPs originally supports opening files by chromium some_file, but I cannot find a way to allow this using bubblejail configs alone. (Adding %F or %U in [common] -> executable_name does not work.)

So I use a workaround of adding flags in desktop entry files like:

[Desktop Entry]
Exec=bubblejail run chromium_bubblejail_instance chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --enable-wayland-ime %U

to enable opening files from CLI/double-clicking using Chromium. When using this workaround, the fields in [common] in bubblejail config is not needed.

Running Chromium using wayland on Arch Linux may require manually install gtk3, or may crash.

@PACHAKUTlQ PACHAKUTlQ changed the title Add sample profiles for common software. Add sample profiles for common software Jan 26, 2025
@igo95862
Copy link
Owner

Hello @PACHAKUTlQ

As there are no guides of writing sample profiles, I wrote them based on the services.toml in bubblejail instance folders. There are differences between services.toml and the toml configs of sample profiles, so I wrote these based on existing profiles, but am not sure they are all correct.

I am actually planing on replacing the profiles with an interactive configuration wizard. If you look at all the profiles in this MR the generic profile will be able to handle all of them except the Thunderbird where GTK wants to acquire a unique D-Bus name and will crash without this permission. The configuration wizard would be able to detect the name the sandbox tried to acquire and will suggest adding a dbus_name setting based on that.

@PACHAKUTlQ
Copy link
Author

PACHAKUTlQ commented Jan 27, 2025
edited
Loading

OK. But Chromium, Tor, Thunderbird and Zotero will crash if access to certain paths are not granted (if you run once before sandboxing it/install using package manager outside sandbox), and will not work with some permissions. So I thought sharing these paths and permissions I found might save others time.
Of course, a wizard to do all these will certainly make everything easier.

@igo95862
Copy link
Owner

Hmmm... Chromium seems to work fine for with none of the directories shared.

@igo95862 igo95862 mentioned this pull request Jan 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PACHAKUTlQ @igo95862