I want to sandbox things like Steam, Discord and even firefox and I see bubblwrap getting recommended a lot as the preferred sandboxing tool but I’m hardpressed on how to actually use it. I don’t know what to enable and what not to.

PS. Please don’t recommend Flatpak, I’m aware Flatpak uses bwrap but I want to avoid Flatpak unless absolute necessary. I don’t have anything against Flatpak, just personal preference :D.

  • Zenzio@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I don’t have any experience with Bubblewrap. Is it what people tend to use instead of its alternatives? Have you had a look at Firejail? I think it does what you are trying to achieve and has a lot of these preconfigured scripts for a variety of the applications you might use (they call them profiles). https://wiki.archlinux.org/title/Firejail From the archwiki:

    Most users will not require any custom configuration and can proceed to #Usage.
    
    Firejail uses profiles to set the security protections for each of the applications executed inside of it - you can find the default profiles in /etc/firejail/application.profile. Should you require custom profiles for applications not included, or wish to modify the defaults, you may place new rules or copies of the defaults in the ~/.config/firejail directory. You may have multiple custom profile files for a single application, and you may share the same profile file among several applications.
    
    If firejail does not have a profile for a particular application, it uses its restrictive system-wide default profile. This can result in the application not functioning as desired, without first creating a custom and less restrictive profile.
    

    It also has support for use in conjunction with Apparmor: https://wiki.archlinux.org/title/Firejail#Enable_AppArmor_support

    Note: A lot of applications won’t have any read or write access anywhere but /home/$USER/Downloads. So one example from me would be that I copied the Firefox profile from /etc/firejail/firefox.local to /home/$USER/firejail/firefox.local and edited the latter to allow Firefox access to /home/$USER/Pictures for the sake of convenience when saving a picture.

    Just my two cents in case you are not dead set on Bubblewrap.