README
¶
aisap permissions
Simplified permissions and what actual bwrap flags they correspond to
Base levels
As you can see, level 1 gives access to a wide range of system files, but personal [HOME] files are still restricted. Level 1 is intended to allow some sandboxing of apps that refuse to with higher levels
Level 1:
--ro-bind /bin /bin--dev-bind /dev /dev--ro-bind /etc /etc--ro-bind /lib /lib--ro-bind /lib32 /lib32--ro-bind /lib64 /lib64--ro-bind /opt /opt--ro-bind /sbin /sbin--ro-bind /sys /sys--ro-bind /usr /usr--ro-bind [HOME]/.fonts [SANDBOX HOME]/.fonts--ro-bind [HOME]/.config/fontconfig [SANDBOX HOME]/.config/fontconfig--ro-bind [HOME]/.config/gtk-3.0 [SANDBOX HOME]/.config/gtk-3.0
Level 2 goes into more specifics within /usr, and gives no access to /etc by default. It should be used for a large majority of graphical applications
Level 2:
--ro-bind /bin /bin--ro-bind /lib /lib--ro-bind /lib32 /lib32--ro-bind /lib64 /lib64--ro-bind /opt /opt--ro-bind /sbin /sbin--ro-bind /sys /sys--ro-bind /usr/bin /usr/bin--ro-bind /usr/lib /usr/lib--ro-bind /usr/lib32 /usr/lib32--ro-bind /usr/lib64 /usr/lib64--ro-bind /usr/sbin /usr/sbin--ro-bind /usr/share/applications /usr/share/applications--ro-bind /usr/share/fontconfig /usr/share/fontconfig--ro-bind /usr/share/fonts /usr/share/fonts--ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0--ro-bind /usr/share/glvnd /usr/share/glvnd--ro-bind /usr/share/icons /usr/share/icons--ro-bind /usr/share/libdrm /usr/share/libdrm--ro-bind /usr/share/mime /usr/share/mime--ro-bind /usr/share/themes /usr/share/themes--ro-bind [HOME]/.fonts [SANDBOX HOME]/.fonts--ro-bind [HOME]/.config/fontconfig [SANDBOX HOME]/.config/fontconfig--ro-bind [HOME]/.config/gtk-3.0 [SANDBOX HOME]/.config/gtk-3.0
For minimal access, level 3 only gives access to system binaries and libraries
Level 3:
--ro-bind /bin /bin--ro-bind /lib /lib--ro-bind /lib32 /lib32--ro-bind /lib64 /lib64--ro-bind /opt /opt--ro-bind /sbin /sbin--ro-bind /usr/bin /usr/bin--ro-bind /usr/lib /usr/lib--ro-bind /usr/lib32 /usr/lib32--ro-bind /usr/lib64 /usr/lib64--ro-bind /usr/sbin /usr/sbin
For further security or to run an AppImage designed for another distro, you can use (AppImage) SetRootDir() to change where it pulls system files from
Sockets
alsa:
/usr/share/alsa/etc/alsa/etc/group/dev/snd
audio: pulseaudio and alsa combined
cgroup:
same as not using --unshare-cgroup-try in bwrap
dbus:
$XDG_RUNTIME_DIR/bus
ipc:
same as not using --unshare-ipc in bwrap
network:
/etc/ca-certificates/etc/resolv.conf/etc/ssl/usr/share/ca-certificates
pid:
same as not using --unshare-pid in bwrap
pipewire:
$XDG_RUNTIME_DIR/pipewire-0
pulseaudio:
$XDG_RUNTIME_DIR/pulse/etc/pulse
session:
same as not using --new-session in bwrap
user:
same as not using --unshare-user-try in bwrap
uts:
same as not using --unshare-uts in bwrap
wayland:
$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY/usr/share/x11
x11:
$XAUTHORITY$TMPDIR/.X11-unix/X[DISPLAY]
Devices
dri:
/sys/devices/pci000:00/dev/nvidiactl/dev/nvidia0
Documentation
¶
Index ¶
- Variables
- type AppImagePerms
- func (p *AppImagePerms) AddDevices(s ...string)
- func (p *AppImagePerms) AddFiles(s ...string)
- func (p *AppImagePerms) AddSockets(socketStrings ...string) error
- func (p *AppImagePerms) RemoveDevices(s ...string)
- func (p *AppImagePerms) RemoveFiles(s ...string)
- func (p *AppImagePerms) RemoveSockets(s ...string)
- func (p *AppImagePerms) SetLevel(l int) error
- type File
- type Socket
Constants ¶
This section is empty.
Variables ¶
var (
InvalidSocket = errors.New("socket invalid")
)
Functions ¶
This section is empty.
Types ¶
type AppImagePerms ¶
type AppImagePerms struct {
Level int `json:"level"` // How much access to system files
Files []string `json:"filesystem"` // Grant permission to access files
Devices []string `json:"devices"` // Access device files (eg: dri, input)
Sockets []Socket `json:"sockets"` // Use sockets (eg: x11, pulseaudio, network)
// TODO: rename to PersistentHome or something
DataDir bool `json:"data_dir"` // Whether or not a data dir should be created (only
// Only intended for unmarshalling, should not be used for other purposes
Names []string `json:"names"`
}
func FromIni ¶
func FromIni(e *ini.File) (*AppImagePerms, error)
FromIni attempts to read permissions from a provided *ini.File, if fail, it will return an *AppImagePerms with a `Level` value of -1 and and error
func FromReader ¶
func FromReader(r io.Reader) (*AppImagePerms, error)
func FromSystem ¶
func FromSystem(name string) (*AppImagePerms, error)
FromSystem attempts to read permissions from a provided desktop entry at ~/.local/share/aisap/profiles/[ai.Name] This should be the preferred way to get permissions and gives maximum power to the user (provided they use a tool to easily edit these permissions, which I'm also planning on making)
func (*AppImagePerms) AddDevices ¶
func (p *AppImagePerms) AddDevices(s ...string)
func (*AppImagePerms) AddFiles ¶
func (p *AppImagePerms) AddFiles(s ...string)
func (*AppImagePerms) AddSockets ¶
func (p *AppImagePerms) AddSockets(socketStrings ...string) error
func (*AppImagePerms) RemoveDevices ¶
func (p *AppImagePerms) RemoveDevices(s ...string)
func (*AppImagePerms) RemoveFiles ¶
func (p *AppImagePerms) RemoveFiles(s ...string)
func (*AppImagePerms) RemoveSockets ¶
func (p *AppImagePerms) RemoveSockets(s ...string)
func (*AppImagePerms) SetLevel ¶
func (p *AppImagePerms) SetLevel(l int) error
Set sandbox base permission level
type Socket ¶
type Socket string
const ( X11 Socket = "x11" Alsa Socket = "alsa" Audio Socket = "audio" PulseAudio Socket = "pulseaudio" Wayland Socket = "wayland" Dbus Socket = "dbus" Cgroup Socket = "cgroup" Network Socket = "network" Pid Socket = "pid" Pipewire Socket = "pipewire" Session Socket = "session" User Socket = "user" Uts Socket = "uts" )
Source Files