Add config to bind folder to diferent location in sandbox

[Redecorating]

Description

Could we share a directory on the host to a different path in the sandbox? e.g. /home/$USER/.local/share/bubblejail/instances/application_name/local could be binded to /usr/local in the sandbox, so if the application's installer wants to install to /usr/local, it would end up installing inside the sandbox

If I bound /usr/local to /usr/local, then I might end up with several applications putting files there, which wouldn't keep them isolated and would make it harder to uninstall one application as I wouldn't know for sure which files were put there by which applications.

In the code it looks like we'd need to add some way of specifying a second argument to Bind() and ReadOnlyBind() in the section below.

bubblejail/src/bubblejail/services.py

Lines 630 to 643 in 150c1e8

	def iter_bwrap_options(self) -> ServiceGeneratorType:
	settings = self.context.get_settings(RootShare.Settings)
	for x in settings.paths:
	yield Bind(x)
	for x in settings.read_only_paths:
	yield ReadOnlyBind(x)
	name = 'root_share'
	pretty_name = 'Root share'
	description = (
	'Share directory relative to root /'
	)

I'm not sure what the best way to add something to the toml config the specifies the source and dest dirs separately instead of assuming they are the same.

Maybe something like the toml snippet below would work? If an item in the home_paths list is a string, it's interpreted the same way as the code does it at the moment, but if it's a list, then the first item is the source folder, and the second item is the destination folder. This way I don't think it'd break old config files.

[home_share]
home_paths = [
    "Downloads",
    [".local", ".local/share/bubblejail/instances/application_name/.local" ],
]

[igo95862]

Hello.

I am not sure if this would be a useful feature. /usr/local can be used for system-wide libraries (that are compiled locally) and something might break if a required library suddenly goes missing.

if the application's installer wants to install to /usr/local, it would end up installing inside the sandbox

Most likely the installer is using make to install which defaults to /usr/local prefix. This would mean DESTDIR environment variable can be used to alter the installation directory.

[Redecorating]

Thanks for your reply.

I am not sure if this would be a useful feature.

Context as to why I thought I might need this feature in the future:

I'm hoping to use bubblejail to sandbox apps that don't have a flatpak. The first one I'm trying to do this with is MATLAB, which is proprietary and has an install script you download after getting a licence. This script does prompt me to change the default installation directories of /usr/local/MATLAB and /usr/local/bin so I was able to change that to folders inside the sandbox and MATLAB seems to work fine with bubble jail.

This did make me wonder what I'd do if I encounter a proprietary application that only installs to a system wide directory like /opt or /usr/local (although I haven't spent enough time using bubblejail to find an example).

/usr/local can be used for system-wide libraries (that are compiled locally) and something might break if a required library suddenly goes missing.

I didn't consider that. I wonder if overlayfs would help with that (although it looks like bwrap doesn't support that currently containers/bubblewrap#412).

In my case, I'm expecting the applications that don't let me change their installation directory will have all their dependencies included and wouldn't rely on any manually installed libraries (otherwise I'd have to install the libraries in the sandbox's usr/local, which wouldn't be ideal).

[Flinner]

Hi @Redecorating , forgive me for asking 1 year later, what settings did you choose to make matlab run? my installer hangs

[igo95862]

Maybe some system like docker/podman volumes could be implemented. It will enable sharing certain data between sandboxes.

I wonder if overlayfs would help with that (although it looks like bwrap doesn't support that currently

If the kernel allow it to be mounted unprivileged then a sandbox post processing could be used like what slirp4netns and namespace limits services do.

Anyway I think this such feature needs some more discussion before being implemented. I will move this to a discussions.

[rusty-snake]

If the kernel allow it to be mounted unprivileged

FYI: Newer kernels (starting with 5.4 or so) support it.

[ple1n]

@rusty-snake I'm still working on my netns-problem. I revised my script. It seems for the next step I can have a privileged daemon process that creates subprocesses to setns into apps' unshared netns-es and configure them to have TUNs to have proxied internet, on demand, called by unix socket. At present it creates a few persistent configured netns-es. I'm not sure how slirp4netns is needed or relevant now. So my script should work with flatpak and other sandbox systems.

I like your crabjail even though I don't know much about linux security. The rust code is just so clean (in fact, I mean including the overall design). I feel like ditching firejail. There is no way it can be secure without clean code/design.
Would you continue to work on it ? Do you have any advice for me ?

https://github.com/planetoryd/netns-proxy/tree/rtnetlink

I have to consider the sandbox systems because my netns tool has to contain the process as soon as it starts. Deliberate integration has to be done, including the UI.