Created
May 18, 2020 03:20
-
-
Save awerlang/810932a2077e1e79992213c030022bb4 to your computer and use it in GitHub Desktop.
Sample bubblewrap script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Use bubblewrap to run /bin/sh reusing the host OS binaries (/usr), but with | |
# separate /tmp, /home, /var, /run, and /etc. For /etc we just inherit the | |
# host's resolv.conf, and set up "stub" passwd/group files. Not sharing | |
# /home for example is intentional. If you wanted to, you could design | |
# a bwrap-using program that shared individual parts of /home, perhaps | |
# public content. | |
# | |
# Another way to build on this example is to remove --share-net to disable | |
# networking. | |
set -euo pipefail | |
(exec bwrap --ro-bind /usr /usr \ | |
--ro-bind /bin /bin \ | |
--ro-bind /lib /lib \ | |
--ro-bind /lib64 /lib64 \ | |
--ro-bind /etc/resolv.conf /etc/resolv.conf \ | |
--dir /tmp \ | |
--dir /var \ | |
--dir $HOME \ | |
--symlink ../tmp var/tmp \ | |
--unshare-all \ | |
--share-net \ | |
--die-with-parent \ | |
--dir /run/user/$(id -u) \ | |
--setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ | |
--file 11 /etc/passwd \ | |
--file 12 /etc/group \ | |
/bin/bash) \ | |
11< <(getent passwd $UID 65534) \ | |
12< <(getent group $(id -g) 65534) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment