mawalu
/
bwbox
1
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: mawalu:configs
Branches Tags
mawalu:main
mawalu:configs
mawalu:launcher
mawalu:dbus
...
pull from: mawalu:main
Branches Tags
mawalu:main
mawalu:configs
mawalu:launcher
mawalu:dbus

10 Commits
configs ... main

Author SHA1 Message Date
Martin a7763a3b35
Update deps 2024-07-13 19:17:45 +01:00
Martin 5f15f42ffb
Bump dependencies 2023-06-23 15:33:10 +02:00
Martin b48c4d423b
Add runtime dependencies to flake 2023-06-23 15:31:08 +02:00
Martin 8ecfa79ccd
Remove logging 2023-06-23 15:19:26 +02:00
Martin 71eb05c09a
Try to rely less on hardcoded paths 2022-05-12 17:51:55 +02:00
Martin 6ca24383f0
Flakeify 2022-04-07 11:32:09 +02:00
Martin 3a5e5d4870
Extend device support 2021-12-27 16:39:18 +01:00
Martin 77b4fedee2
Format default configs 2021-10-17 10:50:20 +02:00
Martin 93d2163ce9
Fix help output 2021-10-16 13:12:39 +02:00
Martin 1634321bd2
Search multiple locations for profiles 2021-10-16 12:58:11 +02:00
18 changed files with 612 additions and 41 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,2 +1,4 @@
.idea .idea
main bwbox
result
scripts/applications

1
main.nim → bwbox.nim
View File

@ -5,7 +5,6 @@ import random
proc main(): int = proc main(): int =
let args = parseArgs() let args = parseArgs()
echo args
if args.isNone: if args.isNone:
echo "Usage: bwshell --name=sandbox_name --profile=profile <sandbox_cmd>" echo "Usage: bwshell --name=sandbox_name --profile=profile <sandbox_cmd>"

13
bwbox.nimble Normal file
View File

@ -0,0 +1,13 @@
# Package
version = "1.0.0"
author = "mawalu"
description = "An experimental sandbox tool for linux apps"
license = "MIT"
srcDir = "."
bin = @["bwbox"]
# Dependencies
requires "nim >= 1.6.0"

5
configs/box
View File

@ -1 +1,4 @@
{"extends": "shell", "mountcwd": true} {
"extends": "shell",
"mountcwd": true
}

10
configs/config.json
View File

@ -1,10 +0,0 @@
{
"mount": [],
"romount": ["/etc", "/var", "/usr", "/opt", ".oh-my-zsh", ".zsh", ".zshrc"],
"symlinks": [
{"src": "usr/lib", "dst": "/lib"},
{"src": "usr/lib64", "dst": "/lib64"},
{"src": "usr/bin", "dst": "/bin"},
{"src": "usr/sbin", "dst": "/sbin"}
]
}

7
configs/dev
View File

@ -1 +1,6 @@
{"extends": "shell", "romount": [".gitconfig", ".gnupg", "/run/user/1000/gnupg", ".ssh/config"], "mountcwd": true, "mount": [".ssh/known_hosts"]} {
"extends": "shell",
"romount": [".gitconfig", ".gnupg", "/run/user/1000/gnupg", ".ssh/config"],
"mountcwd": true,
"mount": [".ssh/known_hosts"]
}

8
configs/gui
View File

@ -1 +1,7 @@
{"extends": "default", "romount": [".Xauthority", "/tmp/.X11-unix", "/run/user/1000/pulse/native"], "dbus": true, "dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"], "dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]} {
"extends": "default",
"romount": [".Xauthority", "/tmp/.X11-unix", "/run/user/1000/pulse/native"],
"dbus": true,
"dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"],
"dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]
}

6
configs/shell
View File

@ -1 +1,5 @@
{"extends": "default", "romount": [".oh-my-zsh", ".zsh", ".zshrc", ".zshrc-local"], "sethostname": true} {
"extends": "default",
"romount": [".oh-my-zsh", ".zsh", ".zshrc", ".zshrc-local"],
"sethostname": true
}

7
configs/wayland Normal file
View File

@ -0,0 +1,7 @@
{
"extends": "default",
"romount": ["/run/user/1000/pulse/native", "/run/user/1000/wayland-1"],
"dbus": true,
"dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"],
"dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]
}

26
flake.lock Normal file
View File

@ -0,0 +1,26 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1720893482,
"narHash": "sha256-fGQczQ3JuvqSK3rYsJvvbE7j8BENLp8DqJH1B0uXYKg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "94c843e8f05bac70e905c48c965ba7be79bde613",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

20
flake.nix Normal file
View File

@ -0,0 +1,20 @@
{
description = "An experimental sandboxing tool for linux apps";
inputs.nixpkgs.url = github:NixOS/nixpkgs;
outputs = { self, nixpkgs }: {
packages.x86_64-linux.default =
with import nixpkgs { system = "x86_64-linux"; };
buildNimPackage {
name = "bwbox";
src = self;
nativeBuildInputs = [pkgs.makeWrapper];
postInstall = ''
wrapProgram $out/bin/bwbox \
--prefix PATH ':' ${pkgs.bubblewrap}/bin \
--prefix PATH ':' ${pkgs.xdg-dbus-proxy}/bin
'';
};
};
}

18
lib/args.nim
View File

@ -5,9 +5,10 @@ type Args* = object
name*: Option[string] name*: Option[string]
cmd*: Option[seq[string]] cmd*: Option[seq[string]]
profile*: Option[string] profile*: Option[string]
debug*: bool
proc getCmd*(args: Args): seq[string] = proc getCmd*(args: Args): seq[string] =
return args.cmd.get(@[getEnv("SHELL", "/bin/bash")]) return args.cmd.get(@[getEnv("SHELL", "/bin/sh")])
proc getProfile*(args: Args): string = proc getProfile*(args: Args): string =
if args.profile.isSome: if args.profile.isSome:
@ -16,26 +17,33 @@ proc getProfile*(args: Args): string =
return "default" return "default"
proc parseArgs*(): Option[Args] = proc parseArgs*(): Option[Args] =
var args = Args() var args = Args(debug: false)
var command = newSeq[string]() var command = newSeq[string]()
var parsingSandboxArgs = true
var i = 1 var i = 1
while i <= paramCount(): while i <= paramCount():
var arg = paramStr(i) var arg = paramStr(i)
if arg == "--name": if arg == "--name" and parsingSandboxArgs:
args.name = some(paramStr(i + 1)) args.name = some(paramStr(i + 1))
i += 2 i += 2
elif arg == "--profile": elif arg == "--profile" and parsingSandboxArgs:
args.profile = some(paramStr(i + 1)) args.profile = some(paramStr(i + 1))
i += 2 i += 2
elif arg == "--debug" and parsingSandboxArgs:
args.debug = true
i += 1
else: else:
echo arg parsingSandboxArgs = false
command.add(arg) command.add(arg)
i += 1 i += 1
if command.len > 0: if command.len > 0:
args.cmd = some(command) args.cmd = some(command)
if args.name.isSome or args.cmd.isSome or args.profile.isSome:
return some(args) return some(args)
else:
return none(Args)

5
lib/bwrap.nim
View File

@ -1,8 +1,9 @@
import os
import posix import posix
import sequtils import sequtils
type BwrapCall* = object type BwrapCall* = object
args: seq[string] args*: seq[string]
proc addArg*(call: var BwrapCall, args: varargs[string]): var BwrapCall {.discardable.} = proc addArg*(call: var BwrapCall, args: varargs[string]): var BwrapCall {.discardable.} =
for arg in args: for arg in args:
@ -14,4 +15,4 @@ proc addMount*(call: var BwrapCall, mType: string, path: string): var BwrapCall
call call
proc exec*(call: var BwrapCall) = proc exec*(call: var BwrapCall) =
discard execv("/usr/bin/bwrap", allocCStringArray(@["bwrap"].concat(call.args))) discard execv("/usr/bin/env", allocCStringArray(@["/usr/bin/env", "bwrap"].concat(call.args)))

11
lib/config.nim
View File

@ -3,6 +3,7 @@ import options
import bwrap import bwrap
import utils import utils
import json import json
import os
type Link* = object type Link* = object
src*: string src*: string
@ -23,6 +24,7 @@ type Config* = object
dbusown*: Option[seq[string]] dbusown*: Option[seq[string]]
dbuscall*: Option[seq[string]] dbuscall*: Option[seq[string]]
dbusbroadcast*: Option[seq[string]] dbusbroadcast*: Option[seq[string]]
devmount*: Option[seq[string]]
proc applyConfig*(call: var BwrapCall, config: Config) = proc applyConfig*(call: var BwrapCall, config: Config) =
for mount in config.mount.get(@[]): for mount in config.mount.get(@[]):
@ -34,6 +36,14 @@ proc applyConfig*(call: var BwrapCall, config: Config) =
for symlink in config.symlinks.get(@[]): for symlink in config.symlinks.get(@[]):
call.addArg("--symlink", symlink.src, symlink.dst) call.addArg("--symlink", symlink.src, symlink.dst)
for device in config.devmount.get(@[]):
call.addArg("--dev-bind", device, device)
if config.mountcwd.get(false):
call
.addMount("--bind", getCurrentDir())
.addArg("--chdir", getCurrentDir())
proc loadConfig*(path: string): Config = proc loadConfig*(path: string): Config =
return readFile(path) return readFile(path)
.parseJson() .parseJson()
@ -53,6 +63,7 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false))) config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false))) config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false))) config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
config.devmount = some(config.devmount.get(eConf.devmount.get(@[])))
config.dbus = some(config.dbus.get(eConf.dbus.get(false))) config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[]))) config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))

25
lib/sandbox.nim
View File

@ -1,4 +1,5 @@
import strutils import strutils
import sequtils
import options import options
import config import config
import utils import utils
@ -36,9 +37,15 @@ proc sandboxExec*(args: Args) =
config.extendConfig() config.extendConfig()
call call
.addArg("--new-session")
.addArg("--dev", "/dev") .addArg("--dev", "/dev")
.addMount("--dev-bind", "/dev/random") .addMount("--dev-bind", "/dev/random")
.addMount("--dev-bind", "/dev/urandom") .addMount("--dev-bind", "/dev/urandom")
.addMount("--ro-bind", "/sys/block")
.addMount("--ro-bind", "/sys/bus")
.addMount("--ro-bind", "/sys/class")
.addMount("--ro-bind", "/sys/dev")
.addMount("--ro-bind", "/sys/devices")
.addArg("--tmpfs", "/tmp") .addArg("--tmpfs", "/tmp")
.addArg("--tmpfs", "/dev/shm") .addArg("--tmpfs", "/dev/shm")
.addArg("--proc", "/proc") .addArg("--proc", "/proc")
@ -48,6 +55,10 @@ proc sandboxExec*(args: Args) =
.addArg("--setenv", "BWSANDBOX", "1") .addArg("--setenv", "BWSANDBOX", "1")
.applyConfig(config) .applyConfig(config)
if config.sethostname.get(false):
call
.addArg("--hostname", hostname)
if config.dbus.get(false): if config.dbus.get(false):
# todo: handle process and cleanup later # todo: handle process and cleanup later
let proxy = startDBusProxy(config, hostname) let proxy = startDBusProxy(config, hostname)
@ -60,13 +71,11 @@ proc sandboxExec*(args: Args) =
if config.allowdri.get(false): if config.allowdri.get(false):
enableDri(call) enableDri(call)
if config.mountcwd.get(false): # resolve binary path outside of the sandbox
call var cmd = args.getCmd
.addMount("--bind", getCurrentDir()) cmd[0] = findExe(cmd[0])
.addArg("--chdir", getCurrentDir())
if config.sethostname.get(false): echo call.args.join(" ")
call echo cmd
.addArg("--hostname", hostname)
call.addArg(args.getCmd).exec() call.addArg(cmd).exec()

33
lib/utils.nim
View File

@ -15,9 +15,19 @@ proc checkRelativePath*(p: string): string =
getHomeDir().joinPath(p) getHomeDir().joinPath(p)
proc getProfilePath*(profile: string): string = proc getProfilePath*(profile: string): string =
getConfigDir() let pid = getCurrentProcessId()
.joinPath(APP_NAME)
.joinPath(profile) for path in [
getConfigDir().joinPath(APP_NAME),
&"/usr/share/{APP_NAME}",
parentDir(expandSymlink(&"/proc/{pid}/exe")).joinPath("configs")
]:
let file = path.joinPath(profile)
if fileExists(file):
return file
raise newException(IOError, "Profile not found")
proc getProfilePath*(args: Args): string = proc getProfilePath*(args: Args): string =
getProfilePath(args.getProfile()) getProfilePath(args.getProfile())
@ -31,17 +41,30 @@ proc deviceExists(path: string): bool =
var res: Stat var res: Stat
return stat(path, res) >= 0 and S_ISCHR(res.st_mode) return stat(path, res) >= 0 and S_ISCHR(res.st_mode)
proc mountDriFolder(call: var BwrapCall, path: string) =
for file in walkPattern(&"{path}/*"):
if dirExists(file):
mountDriFolder(call, file)
elif deviceExists(file):
call.addMount("--dev-bind", file)
#else:
# call.addMount("--ro-bin", file)
# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496 # https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
proc enableDri*(call: var BwrapCall) = proc enableDri*(call: var BwrapCall) =
const folder = "/dev/dri"
const mounts = [ const mounts = [
"/dev/dri", # general folder, # general
"/dev/mali", "/dev/mali0", "/dev/umplock", # mali "/dev/mali", "/dev/mali0", "/dev/umplock", # mali
"/dev/nvidiactl", "/dev/nvidia-modeset", # nvidia "/dev/nvidiactl", "/dev/nvidia-modeset", # nvidia
"/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA "/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
] ]
if dirExists(folder):
mountDriFolder(call, folder)
for mount in mounts: for mount in mounts:
if deviceExists(mount): if deviceExists(mount) or dirExists(mount):
call.addMount("--dev-bind", mount) call.addMount("--dev-bind", mount)
for i in 0..20: for i in 0..20:

441
log Normal file
View File

File diff suppressed because one or more lines are too long

11
scripts/applications.sh
View File

@ -1,4 +1,4 @@
#!/bin/bash #!/run/current-system/sw/bin/bash
if [ $# -ne 1 ]; then if [ $# -ne 1 ]; then
echo "Usage: $0 <target_dir>" echo "Usage: $0 <target_dir>"
@ -12,15 +12,18 @@ check_dir() {
for application in "$dir/"*; do for application in "$dir/"*; do
file="$(basename "$application")" file="$(basename "$application")"
sed "s/Exec=/Exec=bwshell --name '$file' --profile gui /gi" "$application" > "$target/$file" sed "s/^Exec=/Exec=bwbox --name '$file' --profile wayland /gi" "$application" > "$target/$file"
done done
} }
dirs=("/usr/share/applications" "$HOME/.local/share/applications") dirs=($(echo "$XDG_DATA_DIRS" | tr ':' '\n'))
dirs+=("$HOME/.local/share")
target="$1" target="$1"
mkdir -p "$target" mkdir -p "$target"
for dir in "${dirs[@]}"; do for dir in "${dirs[@]}"; do
check_dir "$dir" if [ -d "$dir/applications" ]; then
check_dir "$dir/applications"
fi
done done