Some review based on reading the bubblejail script

[rusty-snake]

bubblejail/bubblejail

Line 189 in 82869d3

_need_path_rw+=" $XDG_RUNTIME_DIR/${WAYLAND_DISPLAY:-wayland-0}"

In theory WAYLAND_DISPLAY can contain an absolute path, though it's very uncommon.

---

Pulseaudio requires /etc/machine-id.

---

bubblejail/bubblejail

Line 268 in 82869d3

--as-pid-1 \

This can cause trouble with some programs and I see no good reason why it should be the default. Is there any reason why you added it as default.

---

There is no way to share a device (say /dev/video0). Exposing bwrap's --dev-bind[-try] would be helpful.

---

bubblejail/bubblejail

Lines 262 to 264 in 82869d3

	--tmpfs /run \
	--tmpfs /tmp \
	--tmpfs /var \

Those flags can be replaced by --dir because / is already an tmpfs.

---

--new-session is important unless you have an replacement in form of an seccomp filter.

---

seccomp is important! even if it is complicated.

[Piraty]

thank you for your feedback.

wayland

you are right, as per https://gitlab.freedesktop.org/wayland/wayland/-/blob/a782152de0f0/src/wayland-client.c#L1217

Pulseaudio requires /etc/machine-id

i'm pretty sure it works as is, see teams wrapper or try bubblejail mpv ...

--as-pid-1

i didn't run into trouble yet and remember quite the opposite. but my memory is vague here...

share a device

you can do this today by appending the bwrap args right after bubblejail args

bubblejail --wayland --dev-bind-try /dev/urandom /rustyrandom file /rustyrandom

new-session

you are right, thanks. see ed062f6

seccomp

i'll glady accept patches ;-)

[rusty-snake]

Pulseaudio requires /etc/machine-id

Maybe PA behaves differently in Void Linux or PA changed in newer versions. At least older versions of pulseaudio (!= piprewire-pulse) in Debian/Ubuntu/Fedora/Arch/... required it.

seccomp

Dumping some links of other implementations FTR

• https://github.com/Kicksecure/sandbox-app-launcher/blob/master/usr/share/sandbox-app-launcher/autogen-seccomp
• https://github.com/darrenldl/sandboxing/blob/master/seccomp-bpfs/firefox.c
• https://codeberg.org/crabjail/crabsecco (my project)
• https://codeberg.org/crabjail/crabjail/src/branch/main/build/seccomp/flatpak.rs and https://codeberg.org/crabjail/crabjail/src/commit/414e2333ec13f03bbc597bc59af19d805bb061c3/src/crabjail/seccomp.rs (my project too)
• https://github.com/google/minijail/tree/master/tools
• https://github.com/google/kafel/
• https://github.com/igo95862/bubblejail/blob/master/src/bubblejail/bubblejail_seccomp.py

[rusty-snake]

--as-pid-1

Good summary: https://vagga.readthedocs.io/en/latest/pid1mode.html