Using bubblewrap to add sandboxing to NetBSD

qwertox|3 months ago

Bubblewrap is a really interesting project, really worth checking out.

https://github.com/containers/bubblewrap

It's the base for Flatpack, the thing that makes Flatpack be sandboxed.

I use it to run Claude Code / Codex / Gemini CLI, to make sure that they have a limited / fake view of my system.

You can bind directories into it, or overlay them into it, restrict other kinds of access.

If Docker is a thing in a scale between a VM and your OS, Bubblewrap is a thing a scale between Docker and your OS. You use your OS, instead of installing and managing an OS like you do with Docker, but you get filesystem and process isolation like with Docker.

Though I had an issue where I cannot use `--new-session`, which is kind of dangerous to not use, but you can get around it if you use seccomp to block ioctl calls, and ptrace.

globular-toast|3 months ago

I documented what I came up with for Claude Code: https://blog.gpkb.org/posts/ai-agent-sandbox/ However, I couldn't get this to work for Codex, it kept failing at the auth bit and I couldn't figure out how to fix it. Anyone got a working solution for Codex?

aborsy|3 months ago

A question.

How do you know what permissions are required by an application, to write a bubblewrap script?

In AppArmor, you exercise the application and aa-logprof suggests permissions requested by application. If you know AppArmor, usually you can refine those suggestions and write a profile. It may not be ideal, as aa-logprof’s permissions are multiple choice suggestions, require user knowledge and may be too broad or specific, but it could work. You will see that there are many and all kinds of permissions, and there is no way that you will be able to guess them without aa-logprof.

What is the equivalent of aa-logprof in bubblewrap and how do you find the required permissions?

jaytaylor|3 months ago

Have you seen Leash?

https://github.com/strongdm/leash

It even has a --darwin macOS-native mode which goes beyond the capabilities and guarantees of sandbox-exec and bubblewrap.

Full-disclosure: I am one of the authors.

udev4096|3 months ago

bubblewrap escapes are not unheard of. Infact, it's a common theme that the general linux landscape lacks strong sandboxing, even if you use bwrap, firejail, etc. Especially linux desktop, a security firehazard to say the least unless you are using QubesOS

Imustaskforhelp|3 months ago

I am curious but what are your thoughts on

https://hanako.codeberg.page/ (Flatpak is not a sandbox)

matesz|3 months ago

As a side note NetBSD is THE ONLY operating system of which binaries are fully bit by bit reproducible.

Moreover it vendores patched gcc compiler, so the entire toolchain is reproducible too as well.

How cool is that?! For the record golang brings it further - its entire package registry containing +40mln packages is bit by bit reproducible.

opan|3 months ago

Are you sure GNU Guix System doesn't share this attribute?

eikenberry|3 months ago

Debian has an ongoing project (https://wiki.debian.org/ReproducibleBuilds) to have 100% reproducible builds and are getting pretty close (numbers wise). Other Linux distros are working toward it as well. Many people care about this ... https://reproducible-builds.org/.

pabs3|3 months ago

Is NetBSD also reproducible from source without using NetBSD binaries?

https://bootstrappable.org/ https://stagex.tools/

ksec|3 months ago

I thought FreeBSD has it as well with v15?

NeutralForest|3 months ago

Can you explain what reproducible mean in this context? Does that mean that you can recompile everything from "scratch" or does it have a deeper meaning?

dsp_person|3 months ago

It's possible to run a full DE bwrapped.

    bwrap --dev-bind /dev /dev --tmpfs /tmp -- labwc
    bwrap --dev-bind /dev /dev --tmpfs /tmp -- kwin_wayland konsole
    bwrap --dev-bind /dev /dev --tmpfs /tmp -- startplasma-wayland

eglgears_wayland and nvtop show gpu works.

That's obviously super permissive, but from there can take things away to expose as much or little of the host system as needed.

For my system I'm working on making a few bwrapped "zones". E.g. start a terminal that can see a certain subset of files, and can configure whether it should use gpu or not, have internet or not, have access to local network or not, etc. A bit more project/environment focused than bwrapping programs one by one.

jmclnx|3 months ago

Always nice to see NetBSD posts here, that nice OS gets hardly any press.

aborsy|3 months ago

I experimented bubblewrap as a better alternative to firejail. Unfortunately there are scripts for few applications. It’s tool for developers. Users are better off flatpaks powered by bubblewrap .

johnisgood|3 months ago

I have been using firejail for a long time now. It seem to work well for me. At times I have to write my own profiles, yeah.

Imustaskforhelp|3 months ago

I wanted to build flatpaks cli applications and I still don't understand how to build a flatpak cli in the first place and I have asked in some communities and they mention things like vim being in flatpak but I more so need a definitive guide on how to publish a cli application to flatpak

A lot of focus in flatpak sadly gets focused on guis and not clis

Like how much efforts would it take to convert a golang static binary/project cli to flatpak?

DeathArrow|3 months ago

I would have loved to see something like OCI containers.

yjftsjthsd-h|3 months ago

This would underpin that, right? First you build the namespace primitives, then you put the handy wrapper on top that composes a root fs and spawns a container from it using those namespace primitives

lovegrenoble|3 months ago

bubblewrap popping )) https://brainteaser.top/bubblespop.html

36 comments