Salta al contenuto principale

Bubblewrap

Limit /lib/*

← Older revision Revision as of 04:50, 7 September 2023
Line 85: Line 85:
{{Ic|"${@:-./}"}}, this will generate a separate word for each
{{Ic|"${@:-./}"}}, this will generate a separate word for each
positional parameter and if you didn't have any parameters it will
positional parameter and if you didn't have any parameters it will
default to current directory.
default to the current directory:
/usr/libexec/imv-wayland "${@:-./}"


Running {{Ic|ldd}} to find all necessary libs, except ones loaded at
Find necessary shared libraries, except ones loaded at runtime:
runtime, on {{Path|/usr/libexec/imv-wayland}}, outputs a lot of things but
 
for the moment all we care about are the directory paths.  Specifically
{{Cmd|$ ldd /usr/libexec/imv-wayland}}
the starting directories, which are {{Ic|/lib/*}} and {{Ic|/usr/lib/*}}.
 
It outputs a lot of things but we only need a few; the directory path of
the majority {{Path|/usr/lib/*}} and the 4 paths that start with
{{Path|/lib/*}}.  Filter the output to see it clearer:
 
{{Cmd|$ ldd /usr/libexec/imv-wayland {{!}} grep ' /lib/'}}
 
In total:
--ro-bind /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 \
--ro-bind /lib/libblkid.so.1 /lib/libblkid.so.1 \
--ro-bind /lib/libmount.so.1 /lib/libmount.so.1 \
--ro-bind /lib/libz.so.1 /lib/libz.so.1 \
--ro-bind /usr/lib/ /usr/lib/ \


{{Warning|The {{Ic|ldd}} manpage talks about some security implications.  It may not apply since they seem to be talking about glibc and {{Pkg|musl-utils}} makes {{Path|/lib/ld-musl-x86_64.so.1}} ldd [https://git.alpinelinux.org/aports/tree/main/musl/APKBUILD#n105].  Is this something to worry about?}}
{{Warning|The {{Ic|ldd}} manpage talks about some security implications.  It may not apply since they seem to be talking about glibc and {{Pkg|musl-utils}} makes {{Path|/lib/ld-musl-x86_64.so.1}} ldd [https://git.alpinelinux.org/aports/tree/main/musl/APKBUILD#n105].  Is this something to worry about?}}
Line 169: Line 182:
   --dev-bind /dev/null /dev/null \
   --dev-bind /dev/null /dev/null \
   --ro-bind-try "${XDG_CONFIG_HOME}/imv/config" "${XDG_CONFIG_HOME}/imv/config" \
   --ro-bind-try "${XDG_CONFIG_HOME}/imv/config" "${XDG_CONFIG_HOME}/imv/config" \
   --ro-bind /lib/ /lib/ \
   --ro-bind /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 \
  --ro-bind /lib/libblkid.so.1 /lib/libblkid.so.1 \
  --ro-bind /lib/libmount.so.1 /lib/libmount.so.1 \
  --ro-bind /lib/libz.so.1 /lib/libz.so.1 \
   --ro-bind "${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}" "${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}" \
   --ro-bind "${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}" "${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}" \
   --ro-bind /usr/lib/ /usr/lib/ \
   --ro-bind /usr/lib/ /usr/lib/ \
Line 235: Line 251:
   --dev-bind /dev/null /dev/null \
   --dev-bind /dev/null /dev/null \
   --ro-bind-try "${XDG_CONFIG_HOME}/imv/config" "${XDG_CONFIG_HOME}/imv/config" \
   --ro-bind-try "${XDG_CONFIG_HOME}/imv/config" "${XDG_CONFIG_HOME}/imv/config" \
   --ro-bind /lib/ /lib/ \
   --ro-bind /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 \
  --ro-bind /lib/libblkid.so.1 /lib/libblkid.so.1 \
  --ro-bind /lib/libmount.so.1 /lib/libmount.so.1 \
  --ro-bind /lib/libz.so.1 /lib/libz.so.1 \
   --ro-bind /sys/dev/char/ /sys/dev/char/ \
   --ro-bind /sys/dev/char/ /sys/dev/char/ \
   --ro-bind /sys/devices/pci0000:00/ /sys/devices/pci0000:00/ \
   --ro-bind /sys/devices/pci0000:00/ /sys/devices/pci0000:00/ \
Line 323: Line 342:
   --dev-bind /dev/dri/renderD128 /dev/dri/renderD128 \
   --dev-bind /dev/dri/renderD128 /dev/dri/renderD128 \
   --dev-bind /dev/null /dev/null \
   --dev-bind /dev/null /dev/null \
  --ro-bind /etc/fonts/ /etc/fonts/ \
   --bind-try "${XDG_CACHE_HOME}/fontconfig/" "${XDG_CACHE_HOME}/fontconfig/" \
   --bind-try "${XDG_CACHE_HOME}/fontconfig/" "${XDG_CACHE_HOME}/fontconfig/" \
   --ro-bind-try "${XDG_CONFIG_HOME}/fontconfig/" "${XDG_CONFIG_HOME}/fontconfig/" \
   --ro-bind-try "${XDG_CONFIG_HOME}/fontconfig/" "${XDG_CONFIG_HOME}/fontconfig/" \
   --ro-bind-try "${XDG_CONFIG_HOME}/imv/config" "${XDG_CONFIG_HOME}/imv/config" \
   --ro-bind-try "${XDG_CONFIG_HOME}/imv/config" "${XDG_CONFIG_HOME}/imv/config" \
   --ro-bind-try "${XDG_DATA_HOME}/fonts/" "${XDG_DATA_HOME}/fonts/" \
   --ro-bind-try "${XDG_DATA_HOME}/fonts/" "${XDG_DATA_HOME}/fonts/" \
   --ro-bind /etc/fonts/ /etc/fonts/ \
   --ro-bind /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 \
   --ro-bind /lib/ /lib/ \
  --ro-bind /lib/libblkid.so.1 /lib/libblkid.so.1 \
  --ro-bind /lib/libmount.so.1 /lib/libmount.so.1 \
   --ro-bind /lib/libz.so.1 /lib/libz.so.1 \
   --ro-bind /sys/dev/char/ /sys/dev/char/ \
   --ro-bind /sys/dev/char/ /sys/dev/char/ \
   --ro-bind /sys/devices/pci0000:00/ /sys/devices/pci0000:00/ \
   --ro-bind /sys/devices/pci0000:00/ /sys/devices/pci0000:00/ \
Distro
Alpine
Feeds item
https://wiki.alpinelinux.org/w/index.php?title=Bubblewrap&diff=25091&oldid=25081