bubblewrap cannot run applications that require root or the protection would be zero?
sandboxed-tor-browser (now deprecated) was using bubblewrap. The old source code might still be useful. The design documentation is probably still useful.
Quote
Yes. The current implementation of the sandbox does little to nothing to defend against Firefox doing evil things to or via the X socket.
If you want to attempt to mitigate this, the best options are:
Run 0.0.8-dev or newer, where "something, but not likely enough" is done to defend against some of the easier evil. Use a nested X11 implementation like Xephyr or Xpra. Sit there and pray that Wayland will fix everything.The ideal solution at current time is probably to probably do all three.
An advanced configuration option for setting the DISPLAY that Firefox will use is provided to enable easier nested X11 usage.
(Thanks to “Jann Horn of Google Project Zero” for pointing out that the documentation doesn’t make it obvious that such things are beyond the threat model.)
Nested X11 will probably have broken clipboard? Maybe xclipsync could solve that but that’s just piling up hacks. Could you please try to solve use Xfce with Wayland first? That would fix the issue at the root.
Quote
How do I get sound to work?
WARNING: This is likely unsafe against sophisticated adversaries.
As it stands right now, if PulseAudio is enabled in the sandbox, Firefox will get direct access to the host system’s socket. There are likely non-trivial ways to use this to read files from the host filesystem.
(Thanks to “Jann Horn of Google Project Zero” for pointing out that this is a possibility.)
If you don’t care about this possibility, assuming your system is running PulseAudio (
pulseaudio --check -v), enable it via the sandbox config. PulseAudio is required due to the sandbox container not having direct access to hardware, and there being basically nothing better despite the potential escape vectors.For what it’s worth, un-sandboxed Tor Browser also requires PulseAudio as of version 7.0, due to it being made a requirement for Firefox (See: https://bugzilla.mozilla.org/show_bug.cgi?id=1247056)
Some ideas for investigation…
Are containers any option? Init (systemd or …) can boot super fast inside a systemd-nspawn container.
Runtimes And the Curse of the Privileged Container — Christian Brauner makes the argument that privileged containers (which doesn’t have a solid definition as he points out) cannot be made secure if root is running inside these.
Might be possible to run systemd-nspawn unprivileged. Kept some notes here, maybe it’s possible to run non-root applications securely in systemd-nspawn, maybe it could be combined with bubblewrap:
Install Debian (based) Linux Distributions in a Folder (chroot)
Or maybe it’s not needed. bublewrap might be able to run init too.
use bubblewrap as an unprivileged user to run systemd images