Description
bubblewrap is a core project in the Flatpak project, which provides sandboxing capabilities. Essentially, bubblewrap helps in running an application or command in a sandboxed environment where its access to the system is restricted. This is instrumental in creating a secure environment where applications can't tamper with the system or access data they shouldn't be able to.This test case ensures the proper functioning of bubblewrap
, the sandboxing tool.
Setup
- Install
bubblewrap
:sudo dnf install bubblewrap
.
How to test
- Open a terminal.
- Create a new temporary directory:
mkdir ~/bwrap-test
- Change to the new directory:
cd ~/bwrap-test
- Use
bubblewrap
to run a command in a sandbox that has no access to the network and only has the~/bwrap-test
directory bind-mounted:bwrap --ro-bind /usr /usr --ro-bind --unshare-all --share-net /lib64 /lib64 ls /
FIXME - Try to ping a public server from within a
bubblewrap
sandbox that has network access disabled:bwrap --unshare-net -- ping 8.8.8.8
Expected Results
- The
ls /
command inside the sandbox should only show the contents of~/bwrap-test
directory, demonstrating the isolation. - The
ping
command should fail, indicating that the sandbox successfully restricted network access.
Optional
For deeper testing:
- Try running different applications within the sandbox and check if they are appropriately restricted.
- Experiment with different
bubblewrap
flags to check various sandbox configurations. - Check if applications inside the sandbox are prevented from accessing or modifying sensitive system files.
- Ensure that sandboxed applications can't interact with processes outside the sandbox.