Code Monkey home page Code Monkey logo

bubblebox's People

Contributors

ralfjung avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

bubblebox's Issues

Quick analysis from bubblejail author

Hello,

Thank you for mentioning bubblejail in your blog post. I noticed that the traffic bubblejail's github page has significantly increased after it.

Looked through your code on and here are some thing I noticed:

bubblebox/bubblebox.py

Lines 5 to 7 in 249a363

XDG_RUNTIME_DIR = os.environ["XDG_RUNTIME_DIR"]
BUBBLEBOX_DIR = XDG_RUNTIME_DIR + "/bubblebox"
os.makedirs(BUBBLEBOX_DIR, exist_ok=True)

XDG_RUNTIME_DIR might not exist when running in non desktop environment. For example in CI.

bubblebox/profiles.py

Lines 45 to 47 in 249a363

"/tmp/.X11-unix/": {
"X"+os.environ["DISPLAY"].removeprefix(":"): Access.Read,
},

DISPLAY variable is much more complex. For example, :0.1 is dislay 0 and screen 1 but it the actual socket is /tmp/.X11-unix/X0. See this man page.

bubblebox/profiles.py

Line 48 in 249a363

os.environ["XAUTHORITY"]: Access.Read,

XAUTHORITY is not always present. Some environments run without it.

bubblebox/profiles.py

Line 58 in 249a363

dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),

The D-Bus permissions are way to broad for notifications and screensaver. Some desktop environments acquire those names but export a lot more objects and interfaces under them. I recommend restricting object path and interface name with --call argument.

bubblebox/bubblebox.py

Lines 60 to 74 in 249a363

args = ["/usr/bin/xdg-dbus-proxy", "--fd="+str(other_end)]
args += [os.environ["DBUS_SESSION_BUS_ADDRESS"], filename, "--filter"] + bwrap.dbus_proxy_flags
#pprint(args)
subprocess.Popen(
args,
pass_fds = [other_end], # default is to pass only the std FDs!
)
# Wait until the proxy is ready
os.read(bwrap_end, 1)
assert os.path.exists(filename)
# Make sure bwrap can access the other end of the pipe
os.set_inheritable(bwrap_end, True)
# Put this at the usual location for the bus insode the sandbox.
# TODO: What if DBUS_SESSION_BUS_ADDRESS says something else?
bwrap.flags.extend(("--bind", filename, XDG_RUNTIME_DIR + "/bus", "--sync-fd", str(bwrap_end)))

I don't see the system socket being proxied? I've encountered several applications that don't work when system bus is missing while session bus is present.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.