js/Bubblewine
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
Jonathan Schleifer 2021-08-06 20:35:21 +02:00
commit 75529d1824
No known key found for this signature in database
GPG key ID: 636703577395312F
2 changed files with 70 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md Normal file
View file

@ -0,0 +1,5 @@
bubblewine is a wrapper around wine that uses bubblewrap to properly sandbox
wine. By default, wine gives full access to the entire file system, while many
Windows binaries are potentially untrustworthy. The aim of bubblewine is to
properly sandbox wine so that one can execute Windows binaries on Linux with
ease of mind that it is unlikely the system gets compromized.

65
bubblewine Executable file
View file

@ -0,0 +1,65 @@
#!/bin/sh
#
# Copyright (c) 2021 Jonathan Schleifer <js@nil.im>
#
# https://github.com/Midar/bubblewine
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice is present in all copies.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
set -eu
if ! type bwrap >/dev/null 2>&1; then
echo "You don't have bubblewrap installed." 2>&1
echo "Please install bubblewrap." 2>&1
exit 1
fi
# Create the wine prefix outside the sandbox. For some reason, it hangs when
# creating it inside the sandbox.
if [ ! -d "$HOME/.bubblewine" ]; then
WINEPREFIX="$HOME/.bubblewine" wineboot
WINEPREFIX="$HOME/.bubblewine" wineserver -k
fi
bwrap \
--unshare-user \
--unshare-ipc \
--unshare-pid \
--unshare-uts \
--unshare-cgroup \
--new-session \
--die-with-parent \
--ro-bind /usr/bin/wine /usr/bin/wine \
--ro-bind /usr/bin/wine-preloader /usr/bin/wine-preloader \
--ro-bind /usr/bin/wine32 /usr/bin/wine32 \
--ro-bind /usr/bin/wine32-preloader /usr/bin/wine32-preloader \
--ro-bind /usr/bin/wine64 /usr/bin/wine64 \
--ro-bind /usr/bin/wine64-preloader /usr/bin/wine64-preloader \
--ro-bind /usr/bin/wineserver /usr/bin/wineserver \
--ro-bind /usr/bin/wineserver32 /usr/bin/wineserver32 \
--ro-bind /usr/bin/wineserver64 /usr/bin/wineserver64 \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
--ro-bind /usr/share/wine /usr/share/wine \
--symlink usr/lib /lib \
--symlink usr/lib64 /lib64 \
--proc /proc \
--tmpfs /tmp \
--bind "$HOME/.bubblewine" /wineprefix \
--setenv WINEPREFIX /wineprefix \
wine "$@"