(thanks to rishi for helping out with the patch) |
No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
# Create a new temporary directory: `mkdir ~/bwrap-test` | # Create a new temporary directory: `mkdir ~/bwrap-test` | ||
# Change to the new directory: `cd ~/bwrap-test` | # Change to the new directory: `cd ~/bwrap-test` | ||
# Use `bubblewrap` to run a command in a sandbox that has no access to the network and only has the `~/bwrap-test` directory bind-mounted: `bwrap --ro-bind /usr /usr --ro-bind | # Use `bubblewrap` to run a command in a sandbox that has no access to the network and only has the `~/bwrap-test` directory bind-mounted: `bwrap --ro-bind /usr /usr --ro-bind /lib64 /lib64 ls / ` | ||
# Try to ping a public server from within a `bubblewrap` sandbox that has network access disabled: `bwrap --unshare-net -- ping 8.8.8.8` | # Try to ping a public server from within a `bubblewrap` sandbox that has network access disabled: `bwrap --unshare-net -- ping 8.8.8.8` | ||
|results= | |results= |
Latest revision as of 03:50, 16 August 2023
Description
bubblewrap is a core project in the Flatpak project, which provides sandboxing capabilities. Essentially, bubblewrap helps in running an application or command in a sandboxed environment where its access to the system is restricted. This is instrumental in creating a secure environment where applications can't tamper with the system or access data they shouldn't be able to.This test case ensures the proper functioning of bubblewrap
, the sandboxing tool.
Setup
- Install
bubblewrap
:sudo dnf install bubblewrap
.
How to test
- Open a terminal.
- Create a new temporary directory:
mkdir ~/bwrap-test
- Change to the new directory:
cd ~/bwrap-test
- Use
bubblewrap
to run a command in a sandbox that has no access to the network and only has the~/bwrap-test
directory bind-mounted:bwrap --ro-bind /usr /usr --ro-bind /lib64 /lib64 ls /
- Try to ping a public server from within a
bubblewrap
sandbox that has network access disabled:bwrap --unshare-net -- ping 8.8.8.8
Expected Results
- The
ls /
command inside the sandbox should only show the contents of~/bwrap-test
directory, demonstrating the isolation. - The
ping
command should fail, indicating that the sandbox successfully restricted network access.
Optional
For deeper testing:
- Try running different applications within the sandbox and check if they are appropriately restricted.
- Experiment with different
bubblewrap
flags to check various sandbox configurations. - Check if applications inside the sandbox are prevented from accessing or modifying sensitive system files.
- Ensure that sandboxed applications can't interact with processes outside the sandbox.