Open odomingao opened 6 hours ago
igo95862
commented
6 hours ago Hello @odomingao
This is because of abstract sockets:
https://github.com/igo95862/bubblejail/issues/54#issuecomment-1586177545
You have to unshare the network namespace by disabling [network] service. You can use the [slirp4netns] to provide network access through a proxy.
It might also be possible to disable abstact sockets on the X11 server:
odomingao
commented
5 hours ago Thanks!
Regarding slirp4netns, I'm getting an error with the following config:
[slirp4netns]
dns_servers = [
"9.9.9.9",
]
outbound_addr = ""
disable_host_loopback = truebwrap: Can't create file at /etc/resolv.conf: No such file or directory
/proc/87724/ns/net: No such file or directory
child failed(1)
Traceback (most recent call last):
File "/usr/lib/bubblejail/python-packages/bubblejail/services.py", line 975, in post_init_hook
await wait_for(slirp_ready_task, timeout=3)
File "/usr/lib/python3.12/asyncio/tasks.py", line 520, in wait_for
return await fut
^^^^^^^^^
File "/usr/lib/python3.12/asyncio/locks.py", line 212, in wait
await fut
asyncio.exceptions.CancelledError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/bubblejail", line 20, in <module>
bubblejail_main()
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_cli.py", line 232, in bubblejail_main
func(**args_dict)
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_cli.py", line 100, in run_bjail
async_run(
File "/usr/lib/python3.12/asyncio/runners.py", line 194, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/asyncio/base_events.py", line 687, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_instance.py", line 230, in async_run_init
bwrap_process = await runner.setup_runtime(exit_stack, args_to_run)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_runner.py", line 485, in setup_runtime
return await exit_stack.enter_async_context(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/contextlib.py", line 659, in enter_async_context
result = await _enter(cm)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/contextlib.py", line 210, in __aenter__
return await anext(self.gen)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_runner.py", line 465, in setup_bubblewrap_subprocess
await self.task_post_init
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_runner.py", line 324, in _run_post_init_hooks
await hook(sandboxed_pid)
File "/usr/lib/bubblejail/python-packages/bubblejail/services.py", line 977, in post_init_hook
raise BubblejailInitializationError("Slirp4netns initialization failed")
bubblejail.exceptions.BubblejailInitializationError: Slirp4netns initialization failedAm I doing something wrong? Also tried with bubblewrap-suid, also errors out:
Traceback (most recent call last):
File "/usr/bin/bubblejail", line 20, in <module>
bubblejail_main()
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_cli.py", line 232, in bubblejail_main
func(**args_dict)
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_cli.py", line 100, in run_bjail
async_run(
File "/usr/lib/python3.12/asyncio/runners.py", line 194, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/asyncio/base_events.py", line 687, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_instance.py", line 230, in async_run_init
bwrap_process = await runner.setup_runtime(exit_stack, args_to_run)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_runner.py", line 485, in setup_runtime
return await exit_stack.enter_async_context(
bwrap: Can't get type of source /run/user/1000/bubblejail/wine/dbus_session_proxy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: No such file or directory
File "/usr/lib/python3.12/contextlib.py", line 659, in enter_async_context
result = await _enter(cm)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/contextlib.py", line 210, in __aenter__
return await anext(self.gen)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_runner.py", line 465, in setup_bubblewrap_subprocess
await self.task_post_init
File "/usr/lib/bubblejail/python-packages/bubblejail/bubblejail_runner.py", line 324, in _run_post_init_hooks
await hook(sandboxed_pid)
File "/usr/lib/bubblejail/python-packages/bubblejail/services.py", line 924, in post_init_hook
target_namespace = exit_stack.enter_context(NetworkNamespace.from_pid(pid))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/bubblejail/python-packages/lxns/namespaces.py", line 122, in from_pid
ns_fd = open_fd(
^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/proc/90299/ns/net'
Output of
bubblejail --version0.9.3
Your distro name and version
arch
Description
Hello!
I noticed that every sandbox can always access X, even when it shouldn't. By creating a new profile, I managed to narrow it down to the [network] permission. Any idea what's going on there, and how I could prevent this from happening?