| LICENSE | ||
| lockings | ||
| README.md | ||
lockings
lockings is a simple sandbox manager written in Python that uses bubblewrap and xdg-dbus-proxy. It allows the creation of sandboxes using a JSON file, with a simple permission system. It generates "launcher" shell scripts which launch the sandboxed program, thus increasing customizability.
quick start
Clone the repository on your machine and run the lockings script. Keep reading below to learn how to use it.
Lockings itself has no dependencies aside from Python, however, the launcher scripts generated by it require bubblewrap, and, if using the dbus-proxy permission, xdg-dbus-proxy as well.
configuration
Configuration is done through a JSON file located at ~/.config/lockings/config.json. If you'd like, you can use a different path by passing it as an argument (lockings ~/some/path/config.json).
The default configuration looks like this:
{
"sandboxes_path": "/home/user/.sandboxes",
"scripts_path": "/home/user/.local/bin",
"sandboxes": []
}
The sandboxes_path is the directory where the sandboxed "jail" home folders will be created. Each program will see its own "artificial" home folder.
The scripts_path is the directory where the automatically generated shell scripts will be dropped by lockings. These shell scripts launch the sandboxed program - lockings itself never actually launches anything.
The sandboxes property is an array of an object that follows the following structure:
{
"name": "name of the sandbox",
"bin": "the binary of the program which you want to sandbox",
"permissions": [ list of permissions, check out the "permissions" section below for more info ]
}
Here is an example configuration which has a sandbox for Mozilla Firefox:
{
"sandboxes_path": "/home/user/.sandboxes",
"scripts_path": "/home/user/.local/bin",
"sandboxes": [
{
"name": "firefox",
"bin": "firefox",
"permissions": [
"net",
"x11",
"sys",
"dbus-proxy"
]
}
]
}
permissions
Currently, the following permissions are implemented:
| Permission | Description |
|---|---|
| net | Network permission |
| x11 | Exposes the x11 socket. Please note that x11 is a weak point for sandboxing, and thus wayland is recommended |
| sys | Exposes some subdirectories in /sys and /dev/dri. Especially useful for hardware accelerated programs. |
| microphone | Exposes the microphone in /dev/snd |
| share:[permission]:[host path]:[sandbox path] | Binds [host path] from the host to [sandbox path] in the sandbox. If [permission] is r, it will be bound as read-only. Useful for sharing files with the sandbox |
| dbus-proxy | Enables xdg-dbus-proxy and exposes the bus to the host. This permission is required for all subsequent dbus-proxy- permissions. |
| dbus-proxy-talk | Set the talk policy for the given name. Read the xdg-dbus-proxy manpage for more information. |
| dbus-proxy-own | Set the own policy for the given name. Read the xdg-dbus-proxy manpage for more information. |
| dbus-proxy-see | Set the see policy for the given name. Read the xdg-dbus-proxy manpage for more information. |
| dbus-proxy-call | Set the call policy for the given name. Read the xdg-dbus-proxy manpage for more information. |
| dbus-proxy-broadcast | Set the broadcast policy for the given name. Read the xdg-dbus-proxy manpage for more information. |