User:Trickygnome/Simple sandbox in Wayland

From Gentoo Wiki
Jump to:navigation Jump to:search

Create sandbox user

root #useradd -m -G input,users,video,audio ff

Install and configure sudo and wayland group

root #emerge --ask app-admin/sudo
root #mkdir /etc/sudoers.d
root #sudo groupadd wayland-share
root #sudo usermod -aG wayland-share ff

OpenRC startup script for XDG_RUNTIME_DIR

For XDG_RUNTIME_DIR folder we use /tmp folder that may be cleaned after reboot. We create service that ensure folder consistence after boot.

FILE /etc/local.d/xdg-runtime-larry.start
#!/bin/sh
XDG_RUNTIME_DIR="/tmp/mywayland-runtime-dir"
mkdir -p $XDG_RUNTIME_DIR
sudo chown larry:wayland-share $XDG_RUNTIME_DIR # larry is main user, ff is additional
# Restrict other users to access
sudo chmod 770 $XDG_RUNTIME_DIR
# Handle Future Files with setgid,  ensuring files created inside the directory inherit the same group as the directory:
sudo chmod g+s $XDG_RUNTIME_DIR
# For Firejail
setfacl -m u:ff:rwx $XDG_RUNTIME_DIR
setfacl -d -m u:ff:rw $XDG_RUNTIME_DIR

Make script executable:

root #chmod +x /etc/local.d/xdg-runtime-larry.start

(Enabled by default)

root #rc-update add local default

Launch Wayland compositor

larry@gentoo $ export XDG_RUNTIME_DIR="/tmp/mywayland-runtime-dir" && sway

Launch app as ff user in running compositor

larry@gentoo $ sudo --preserve-env=XDG_RUNTIME_DIR,WAYLAND_DISPLAY -u ff firefox

See also

Retrieved from "https://wiki.gentoo.org/index.php?title=User:Trickygnome/Simple_sandbox_in_Wayland&oldid=1372028"