sloonz’s blog

Lately, I’ve been trying to integrate the huge advance of AI to help my day-to-day tasks. A big help would be a useful programming assistant. ChatGPT already is a big help ; integrating it more tightly into workflow would probably a bigger help. I don’t really care about things like Copilot, which are really “autocomplete on steroids” ; that’s just not how I use ChatGPT. I usually start by specifying what I want to do, ask ChatGPT to rephrase my specifications, clarify misunderstandings, ask ChatGPT to give me an implementation and then iterate on this implementation (for example, “Your implementation does not take into account requirement #2”)....

Previously in this series, we discovered how to use bubblewrap to sandbox simple applications. Then, we moved on to more complex applications, and concluded that, while it works, the long command lines used were getting very unwieldy. I will now present you the script (unimaginatively called sandbox) I use to sandbox my applications. Its configuration file is located at ~/.config/sandbox.yml. It starts with resources : mostly path binds, but also environment variables and D-Bus services....

Last time, we discovered how to use bubblewrap to sandbox simple CLI applications. We will now try to sandbox desktop applications. Desktop applications want access to a lot of different resources: for example the Wayland (or X) server socket, sound server socket or D-Bus services. You could grant blanket access to all such resources for every application, but that increases the attack surface quite a lot. An alternative is to give access only to resources used by the application you’re trying to sandbox — though figuring this out isn’t always straightforward since nobody cares documenting the resources they are using....

Everybody knows that allowing different applications unlimited access to each other’s data is not exactly optimal from a security point of view. While servers have enjoyed containers to isolate applications from each other, we lack a good solution for the desktop. Or do we? There is, obviously, flatpak. Unfortunately, flatpak present itself as a “Linux application sandboxing and distribution framework”. This will not do. I already have a distribution. I’m pretty happy with it....