this post was submitted on 20 Aug 2023
253 points (88.4% liked)
linuxmemes
20798 readers
1404 users here now
I use Arch btw
Sister communities:
- LemmyMemes: Memes
- LemmyShitpost: Anything and everything goes.
- RISA: Star Trek memes and shitposts
Community rules
- Follow the site-wide rules and code of conduct
- Be civil
- Post Linux-related content
- No recent reposts
Please report posts and comments that break these rules!
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
bwrap
is so much better without Flatpak.To start you off:
$ bwrap --dev-bind / / --tmpfs ~ bash
This basically gives you a shell in a clean virtual home directory (but no meaningful security improvement yet). You can test new builds of software as if you have only the default settings. If you need to access files, move them to
/tmp/
.To see the clean virtual home directory, replace
--tmpfs ~
with--bind "$(mktemp -d)" ~
. You can browse it wheremktemp
puts it (usually/tmp/*
).To start to lock down security, replace the
--dev-bind
with--ro-bind
, and add various--new-session
,--uid
/--gid
, and--unshare-all
/--unshare-*
flags. You can run untrusted and semi-trusted/less-trusted applications with less security risk this way (as long as you're aware of pitfalls, such as the/tmp/.X11-unix/X0
socket and other possible avenues of escape).To block network access, use
--unshare-net
or--unshare-all
. To virtualize/dev
and/proc
, use--dev /dev
and--proc /proc
.Some programs might need
--dev-bind /dev/dri /dev/dri
for graphics driver access, or similar constructs.EDIT: …I actually created a way to create completely portable application executables for Linux by using
bwrap
(orproot
, as a fallback) to virtualize a Nix root from inside an AppImage, earlier this year.bwrap
offers a lot of granularity in modifying and containing the virtual environment, to the degree that you can basically emulate an entire guest OS/distro on top of the host distro, without even needingroot
privileges— And without even needingbwrap
itself to be installed, since it can work using entirely standard Linux kernel features.