A wrapper around bubblewrap to make it a bit easier to use with normal desktop programs.
bubblewrap-wrap is meant to address this particular case: https://xkcd.com/1200/
Modern environments have most of the actual important user information held in the same user home directory which is exposed to any program run by the user.
This script uses bwrap to create an isolated "HOME" directory per program.
called a jail. It trades absolute security for ease of use and should generally
work with most programs out of the box. Unlike a true container, a program run with
bww has a read-only view of the host system (some directories are blocked),
but does have things like special namespacing.
The advantage of bww is that running a program will not pollute the real home
directory, and all configuration files can be deleted simply by removing the jail
directory. bww is not a replacement for a Flatpak. You should always elect to use
a Flatpak version of a program if one exists. bww is expected to run with interactive
GUI programs, and comes with support for things like X11 and PulseAudio by default. For
server applications, you should use docker or another container solution.
By default, bww makes use of bubblewrap's ability to have split namespaces
for processes, uts, and also hides the /dev /proc and /tmp folders.
You can share folders outside of the jail using the options --bind-if-exists. As the
name suggests, the folder will not be created for you, and will only be shared if it already
exists.
Assuming both bww and the <program> you want to run are on your $PATH you can do:
$ bww <program>If you're sick and tired of writing bww before everything, you can use the
included bwrapper script, which will create a file named <program> inside
of the $HOME/.bww/bin directory that will call through to bww when run. It
is up to the user to configure the $HOME/.bww/bin directory to be on the $PATH.
bww makes no assumptions about the existing configuration, but will follow
these defaults:
Jailed programs will live in $HOME/.bww/jails/<program> and bwrapper generated
scripts will live in $HOME/.bww/bin.
The $HOME/.bww/jails directory will be created for you if it does not exist.
Not every program will work with bww due to its slightly more restrictive nature,
though many will "just work" out of the box.
If you find a program that does not work, simple possible fixes are things like
the option --nodrop, which will not drop the Linux capabilities that some programs
expect to be present, the option --nodev which grants access to the real /dev
folder, the option --notmp which grants access to the real /tmp folder.
Often times, a graphical application requires --dbus, and many GTK applications
require feature flags like --p11, --gvfs, or --dconf. In some rare cases, the
--systemd flag may be required. Each program is specific and you will need to
try various options out.
When in doubt, make sure the program runs on your system normally, and that it runs
"by default" in bwrap by using:
$ bwrap --dev-bind / / <program>If it does, try running it in bww with all of the restrictive options turned off,
and if it launches, slowly add back restrictions until the program continues to launch.
Get used to launching programs in the terminal and reading their debugging output,
for example, common error messages including "system bus" or "session bus" would require
the flag --dbus.
You may also need to mount directories via --bind-if-exists.
GPLv2
The GPLv2 License
# Copyright (C) 2023 pyamsoft
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.