undefined | Better HN

0 pointsnecovek4y ago0 comments

Thanks: bubblewrap seems to have been extracted from flatpak.

The documentation seems to focus on filesystem access sandboxing. Is there something with practical suggestions on how to sandbox things like webcam access, clipboard, screen (for screen sharing/recording apps), networking... with bubblewrap?

(I know some of that is visible in the filesystem, but not all of it is)

0 comments

pabs34y ago

Look into Flatpak portals. I'm not sure how they work wrt bubblewrap, but they pass limited interfaces to various things into the container. Things on the host side then prompt the user for which webcam/etc the app should get access to. I think they are similar to Android intents in that the app can't ask for access to a specific thing, just for access to certain kind of things and then it is up to the user to choose which one.

necovekOP4y ago

Yes, I am familiar with portals and what they do: I was exactly wondering if bubblewrap contains something similar — it's been ages since I was involved with Linux system architecture (let's say I am stuck in the SysV init world, and I still go for "service apache2 restart" :)), so it'd be great if there was a quick introduction for someone wanting to use flatpak/snap style sandboxing without the dependency management and distribution channels.

pabs34y ago

bubblewrap can bind-mount paths from outside the container inside the container. I haven't verified this but I'm assuming portals are just sockets bind-mounted into the container. I suggest you maybe install Fedora in a VM and run a flatpak app there that uses portals and try to inspect what files are passed into the container.

j / k navigate · click thread line to collapse

0 pointsnecovek4y ago0 comments

Thanks: bubblewrap seems to have been extracted from flatpak.

(I know some of that is visible in the filesystem, but not all of it is)

0 comments

pabs34y ago

necovekOP4y ago

pabs34y ago

j / k navigate · click thread line to collapse