From Fedora Project Wiki

(thanks to rishi for helping out with the patch)
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 7: Line 7:
# Create a new temporary directory: `mkdir ~/bwrap-test`
# Create a new temporary directory: `mkdir ~/bwrap-test`
# Change to the new directory: `cd ~/bwrap-test`
# Change to the new directory: `cd ~/bwrap-test`
# Use `bubblewrap` to run a command in a sandbox that has no access to the network and only has the `~/bwrap-test` directory bind-mounted: `bwrap --ro-bind /usr /usr --ro-bind --unshare-all --share-net /lib64 /lib64 ls / ` [[FIXME]]
# Use `bubblewrap` to run a command in a sandbox that has no access to the network and only has the `~/bwrap-test` directory bind-mounted: `bwrap --ro-bind /usr /usr --ro-bind /lib64 /lib64 ls / `  
# Try to ping a public server from within a `bubblewrap` sandbox that has network access disabled: `bwrap --unshare-net -- ping 8.8.8.8`
# Try to ping a public server from within a `bubblewrap` sandbox that has network access disabled: `bwrap --unshare-net -- ping 8.8.8.8`
|results=
|results=

Latest revision as of 03:50, 16 August 2023

Description

bubblewrap is a core project in the Flatpak project, which provides sandboxing capabilities. Essentially, bubblewrap helps in running an application or command in a sandboxed environment where its access to the system is restricted. This is instrumental in creating a secure environment where applications can't tamper with the system or access data they shouldn't be able to.This test case ensures the proper functioning of bubblewrap, the sandboxing tool.

Setup

  1. Install bubblewrap: sudo dnf install bubblewrap.

How to test

  1. Open a terminal.
  2. Create a new temporary directory: mkdir ~/bwrap-test
  3. Change to the new directory: cd ~/bwrap-test
  4. Use bubblewrap to run a command in a sandbox that has no access to the network and only has the ~/bwrap-test directory bind-mounted: bwrap --ro-bind /usr /usr --ro-bind /lib64 /lib64 ls /
  5. Try to ping a public server from within a bubblewrap sandbox that has network access disabled: bwrap --unshare-net -- ping 8.8.8.8

Expected Results

  1. The ls / command inside the sandbox should only show the contents of ~/bwrap-test directory, demonstrating the isolation.
  2. The ping command should fail, indicating that the sandbox successfully restricted network access.

Optional

For deeper testing:

  1. Try running different applications within the sandbox and check if they are appropriately restricted.
  2. Experiment with different bubblewrap flags to check various sandbox configurations.
  3. Check if applications inside the sandbox are prevented from accessing or modifying sensitive system files.
  4. Ensure that sandboxed applications can't interact with processes outside the sandbox.