From f807d7c0a230700a44ba4ea2e3412c874c063272 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 25 Feb 2024 08:11:05 +0000
Subject: [PATCH] modules/programs: sane-sandboxed: bwrap: don't virtualize
 {/dev,/proc,/tmp} if explicitly asked to bind them instead

this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
---
 modules/programs/sane-sandboxed | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/modules/programs/sane-sandboxed b/modules/programs/sane-sandboxed
index b86ef33d..2aafba70 100644
--- a/modules/programs/sane-sandboxed
+++ b/modules/programs/sane-sandboxed
@@ -444,6 +444,9 @@ firejailGetCli() {
 
 bwrapUnshareNet=(--unshare-net)
 bwrapUnsharePid=(--unshare-pid)
+bwrapVirtualizeDev=(--dev /dev)
+bwrapVirtualizeProc=(--proc /proc)
+bwrapVirtualizeTmp=(--tmpfs /tmp)
 
 bwrapSetup() {
   debug "bwrapSetup: noop"
@@ -462,6 +465,21 @@ bwrapIngestPath() {
   # or maybe configure remote mounts to somehow never hang.
   # test -r "$1" && bwrapFlags+=("--dev-bind-try" "$1" "$1")
   bwrapFlags+=("--dev-bind-try" "$1" "$1")
+
+  # default to virtualizing a few directories in a way that's safe (doesn't impact outside environment)
+  # and maximizes compatibility with apps. but if explicitly asked for the directory, then remove the virtual
+  # device and bind it as normal.
+  if [ "$1" = / ]; then
+    bwrapVirtualizeDev=()
+    bwrapVirtualizeProc=()
+    bwrapVirtualizeTmp=()
+  elif [ "$1" = /dev ]; then
+    bwrapVirtualizeDev=()
+  elif [ "$1" = /proc ]; then
+    bwrapVirtualizeProc=()
+  elif [ "$1" = /tmp ]; then
+    bwrapVirtualizeTmp=()
+  fi
 }
 bwrapIngestNet() {
   debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly"
@@ -488,7 +506,10 @@ bwrapGetCli() {
   # --unshare-user (implicit to every non-suid call to bwrap)
   locate _bwrap "bwrap" "@bubblewrap@/bin/bwrap"
   cliArgs=(
-    "$_bwrap" --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}" --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" --
+    "$_bwrap" --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts
+      "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
+      "${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
+      "${bwrapFlags[@]}" --
     env "${extraEnv[@]}" "${cliArgs[@]}"
   )
 }