Tip the first note about Bubblewrap/Examples; make exploring the sandbox its own heading.
| ← Older revision | Revision as of 05:45, 6 September 2023 | ||
| Line 23: | Line 23: | ||
== How to workout what a program needs == | == How to workout what a program needs == | ||
Look at [[Bubblewrap/Examples]] to see various ways | {{Tip|Look at [[Bubblewrap/Examples]] to see various ways {{Ic|bwrap}} can be used.}} | ||
=== Prerequisites === | === Prerequisites === | ||
| Line 339: | Line 339: | ||
--ro-bind "${@:-./}" "$(realpath "${@:-./}")" \ | --ro-bind "${@:-./}" "$(realpath "${@:-./}")" \ | ||
/usr/libexec/imv-wayland "${@:-./}"}} | /usr/libexec/imv-wayland "${@:-./}"}} | ||
==== See what exists in the sandbox ==== | |||
Finally test what all is allowed by replacing | Finally test what all is allowed by replacing | ||
{{Ic|/usr/libexec/imv-wayland "${@:-./}" | {{Ic|/usr/libexec/imv-wayland "${@:-./}"}} with {{Ic|/bin/sh}} and | ||
adding {{Ic|--ro-bind /bin/ /bin/ \}}. Check around and see what the | adding {{Ic|--ro-bind /bin/ /bin/ \}}. Check around and see what the | ||
filesystem is like: | filesystem is like: | ||
| Line 348: | Line 350: | ||
--ro-bind "${@:-./}" "$(realpath "${@:-./}")" \ | --ro-bind "${@:-./}" "$(realpath "${@:-./}")" \ | ||
--ro-bind /bin/ /bin/ \ | --ro-bind /bin/ /bin/ \ | ||
/bin/sh | /bin/sh}} | ||
Invoke {{Ic|bwrap-imv}}: | Invoke {{Ic|bwrap-imv}}: | ||
{{Cmd|$ bwrap-imv}} | {{Cmd|$ bwrap-imv IMAGE}} | ||
Show what environment variables are active: | Show what environment variables are active: | ||
| Line 378: | Line 380: | ||
{{Cat|~/.local/bin/bwrap-imv| ... | {{Cat|~/.local/bin/bwrap-imv| ... | ||
--ro-bind "${@:-./}" "$(realpath "${@:-./}")" \ | --ro-bind "${@:-./}" "$(realpath "${@:-./}")" \ | ||
/usr/libexec/imv-wayland "${@:-./}" | /usr/libexec/imv-wayland "${@:-./}"}} | ||
All done with a basic | All done with a basic {{Ic|bwrap}} wrapper. | ||
=== Seccomp === | === Seccomp === | ||
Distro