~seirdy/bwrap-scripts

dcdbb0372c2c28ec4ebb524935c06f131d7fd820 — Rohan Kumar 2 years ago 40c67be
Fix: add clone3 and a missing DRM_IOCTL syscall

The former is needed for recent versions of some common libs, the latter
is needed for FF.
M firefox-sandbox => firefox-sandbox +5 -3
@@ 12,12 12,14 @@ xdg_runtime="${XDG_RUNTIME_DIR-/run/user/$(id -u)}"
# mime, icons, and glib need to be shared for save dialogs to work
# xcb needs to be shared when launching after an update
# /tmp/.X11-unix access allows isolating network namespace
# no access to pulseaudio/pipewire.
env -i bwrap \
	--symlink usr/lib /lib \
	--symlink usr/lib64 /lib64 \
	--ro-bind /tmp/.X11-unix /tmp/.X11-unix \
	--ro-bind /usr/lib /usr/lib \
	--ro-bind /usr/lib64 /usr/lib64 \
	--ro-bind /opt/firefox-trunk /opt/firefox-trunk \
	--ro-bind /usr/share/X11/xkb /usr/share/X11/xkb \
	--ro-bind /usr/share/themes /usr/share/themes \
	--ro-bind /usr/share/icons /usr/share/icons \


@@ 54,7 56,7 @@ env -i bwrap \
	--ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \
	--ro-bind /sys/devices/i915 /sys/devices/i915 \
	--unshare-all --share-net \
	--setenv LD_LIBRARY_PATH /usr/lib64/firefox \
	--setenv LD_LIBRARY_PATH /opt/firefox-trunk \
	--setenv DISPLAY "$DISPLAY" \
	--setenv GTK_THEME "Breeze-Dark" \
	--setenv "MOZ_ENABLE_WAYLAND" "1" \


@@ 65,7 67,7 @@ env -i bwrap \
	--hostname RESTRICTED \
	--new-session --die-with-parent --cap-drop ALL \
	--seccomp 9 \
	/usr/lib64/firefox/firefox-bin "$@" \
	9<"$xdg_data/seccomp/seccomp-filter-chromium.bpf"
	/opt/firefox-trunk/firefox-bin "$@" \
	9<"$xdg_data/seccomp/seccomp-filter-ff.bpf"

# vi:ft=sh

M seccomp-whitelists/seccomp-allowed-default => seccomp-whitelists/seccomp-allowed-default +1 -0
@@ 19,6 19,7 @@ clock_getres
clock_gettime
clock_nanosleep
clone
clone3
close
connect
copy_file_range

M seccomp-whitelists/seccomp-allowed-ff => seccomp-whitelists/seccomp-allowed-ff +1 -0
@@ 20,6 20,7 @@ ioctl 1 DRM_IOCTL_I915_QUERY
ioctl 1 DRM_IOCTL_PRIME_HANDLE_TO_FD
ioctl 1 DRM_IOCTL_SYNCOBJ_CREATE
ioctl 1 DRM_IOCTL_SYNCOBJ_DESTROY
ioctl 1 DRM_IOCTL_SYNCOBJ_WAIT
ioctl 1 DRM_IOCTL_VERSION
ioctl 1 FIONBIO
ioctl 1 FIONREAD