Idea: Automatic sandbox configuration wizard instead of profiles

[igo95862]

There are infinite number of applications meaning adding a new profile for each one of them is infeasible.

See firejail's profile folders which had to be alphabetically split in to 2 because of number of profiles: https://github.com/netblue30/firejail/tree/master/etc

Instead of trying to add more and more profiles why not automate the sandboxing configuration by record data while running a new sandbox.

The workflow would be: user creates new sandbox -> sandbox is started with data recording -> sandboxed application either crashes or is closed -> user is prompted with settings recommendations based on collected data -> sandbox is run again until sandbox configuration is satisfactory -> instance switches data recording off for performance

Most important part of this plan are data sources.

D-Bus proxy log

xdg-dbus-proxy has a log option which dumps the filtered messages to the stdout. The format is not documented but it should be possible to build a parser.

Most important message would be RequestName as GTK applications instantly crash if they fail to acquire a specif D-Bus name. User should be prompted to allow the sandbox own the name.

If an application tries to call a certain D-Bus service like org.freedesktop.Notifications and corresponding [notifications] service should be prompted.

Linker shared libraries

Analyze the default binary linking information.

This is a static method that does not require running sandbox.

For example, if the binary is linked to libgtk-4.so it probably wants [x11], [wayland] and [direct_rendering].

Needs more research to which libraries can be linked to which services.

strace

Can be monitored for file path accesses. Certain paths might mean the application want certain service.

[igo95862]

xdg-dbus proxy logging.

Implemented in this file: https://github.com/flatpak/xdg-dbus-proxy/blob/main/flatpak-proxy.c

I think the most important message is call .. at and Filtering message due to ...

For example:

C2: -> org.freedesktop.DBus call org.freedesktop.DBus.RequestName at /org/freedesktop/DBus
Filtering message due to arg0 org.gnome.clocks, policy: 0 (required 3)

This means the org.gnome.clocks was attempted to be acquired.

C5: -> org.freedesktop.DBus call org.freedesktop.DBus.NameHasOwner at /org/freedesktop/DBus
Filtering message due to arg0 org.gnome.ScreenSaver, policy: 0 (required 1)

This means the screen saver was attempted to be accessed.

[igo95862]

I added the first prototype of a wizard: bdb55c2

It can only set the owned D-Bus name for now. I would be helpful if anyone can give it a test.

Run it like this:

bubblejail run --wizard -- my_instance