Bind executable inside sandbox

ls0h · Feb 3, 2021 · 14361eb · 14361eb
1 parent 4bcbd5a
commit 14361eb
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/bubblejail/bubblejail_instance.py b/bubblejail/bubblejail_instance.py
@@ -275,6 +275,22 @@ async def async_run_init(
 
         async with init:
             bwrap_args = ['/usr/bin/bwrap']
+
+            if not args_to_run:
+                exec_path: str = init.executable_args[0]
+                args_to_run = list(self.rewrite_arguments(init.executable_args))
+            else:
+                exec_path: str = args_to_run[0]
+                args_to_run = list(self.rewrite_arguments(args_to_run))
+            # Read only bind the executable file if it is not in /bin, /sbin, etc...
+            if not (exec_path.startswith('/bin') or exec_path.startswith('/sbin')
+                    or exec_path.startswith('/usr/bin/') or exec_path.startswith('/usr/sbin/')
+                    or exec_path.startswith('/usr/local/bin/') or exec_path.startswith('/usr/local/sbin/')
+                    or exec_path.startswith('/opt')):
+                exec_filename = exec_path.split('/')[-1]
+                init.bwrap_options_args.extend(('--ro-bind', exec_path, f'/tmp/{exec_filename}'))
+                args_to_run[0] = f'/tmp/{exec_filename}'
+
             # Pass option args file descriptor
             bwrap_args.append('--args')
             bwrap_args.append(str(init.get_args_file_descriptor()))
@@ -291,10 +307,7 @@ async def async_run_init(
             if debug_shell:
                 bwrap_args.append('--shell')
 
-            if not args_to_run:
-                bwrap_args.extend(init.executable_args)
-            else:
-                bwrap_args.extend(self.rewrite_arguments(args_to_run))
+            bwrap_args.extend(args_to_run)
 
             if dry_run:
                 print('Bwrap options: ')

diff --git a/bubblejail/services.py b/bubblejail/services.py
@@ -327,6 +327,10 @@ class BubblejailDefaults(BubblejailService):
     def __iter__(self) -> ServiceGeneratorType:
         # Defaults can't be disabled
 
+        # FUSE support for AppImage and other mounts inside sandbox
+        yield DevBind('/dev/fuse')
+        yield Symlink('/proc/self/mounts', '/etc/mtab')
+
         # Distro packaged libraries and binaries
         yield ReadOnlyBind('/usr')
         yield ReadOnlyBind('/opt')