At each DPkg::Post-Invoke event maybe the right thing to do is to iterate through all of PATH?
I still think an DPkg::Post-Invoke hook is OK to create a wrapper. But the actual questions should be asked at first start of the program (if any, non-avoidable). The wrapper could check at first start if questions already answered or still needed to ask. That way lots of applications which are never used don’t need to be configured.
…then also not sure how to solve the issue of starting applications without any input (graphical or console) connected, i.e. started by cron, systemd or other scripts/programs internally. Maybe that becomes more clear later during development when we discuss a few applications specifically and which defaults seem sensible.
That feature used to cause breakage all over the place. I always disabled it because may major programs were never written to use memory that way and I had things to get on with.
Could you please add the usual apparmor local line?
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.sdwdate>
Apparmor profile needs path update?
Packaging is done for now. sandbox-app-launcher is now available from Whonix developers repository. Does the package look as expected? If that is confirmed it would be easy to copy to all Whonix repositories including the stable repository as it isn’t installed by default, there are no existing users which could have a setup that would break, and therefore have almost zero chance of causing issues for anyone who doesn’t wish to test it. However, it would make thing a lot easier for testers to get it installed.
Does building the package from source work for you?
This looks rather strange. Opening a subshell and executing something there. Better done without a subshell. Easier to understand and less risky. Also easier to read xtrace.
What are these file descriptors 10, 11, 12 for?
We have to be careful with the sudo call to avoid any privilege escalation. I haven’t found any ways yet but the bash -c and subshell makes it hard to me to understand.
bwrap_args is currently not set under any circumstances. Therefore it could be set as an environment variable. When using sudo -E sandbox-app-launcher such environment variables.
sandbox-app-launcher needs to survive malicious user input such as
Could you put the compiled / auto generated files into a different folder please? More clean to separate source code and compiled code. The folder could have autogenerated, compiled or something in its name to make clear we can wipe it in the Debian postrm script.
bwrap: Can't read seccomp data: Bad file descriptor
I’ve no clue why that is though. If you just copy/paste in the command without bash -c and execute it manually, it works fine. It only breaks without bash -c in the script.
I just randomly thought bash -c might fix it and it did so it’s there now.
Bubblewrap can take in data from file descriptors. If you look at the bwrap command you’ll see: