Bubblejail

Bubblejail is a bubblewrap-based alternative to Firejail.

Description

Bubblejail's design is based on observations of Firejail's faults.

One of the biggest issues with Firejail is that you can accidentally run unsandboxed applications and not notice.

Bubblejail, instead of trying to transparently overlay an existing home directory, creates a separate home directory.

Every Instance represents a separate home directory. Typically, every sandboxed application has its own home directory.

Each instance has a services.toml file which defines the configuration of the instance such as system resources that the sandbox should have access to.

Service represents some system resources that the sandbox can be given access to. For example, the Pulse Audio service gives access to the Pulse Audio socket so that the application can use sound.

Profile is a predefined set of services that a particular application uses. Using profiles is entirely optional.

Installation

AUR is preferred way of installing

AUR git

AUR stable

Manual Installation

If you are not using Arch Linux you can try to manually install with meson

Requirements

• Python 3 - version 3.8 or higher
• Python XDG - XDG standards for python
• Python TOML - TOML file support for python
• Bubblewrap - sandboxing command line utility
• XDG D-Bus Proxy - filtering dbus proxy
• Desktop File Utils - to manipulate default applications
• Python Qt5 - for GUI
• Meson - build system
• m4 - macro generator used during build

Optional:

• bash-completion - auto-completions for bash shell
• fish - auto-completions for fish shell

Using meson to install

1. Run meson setup build to setup build directory
2. Switch to build directory cd build
3. Compile meson compile
4. Install sudo meson install

If you want to uninstall run ninja uninstall from build directory.

Screenshots

Configuration utility

Quick start

1. Install bubblejail from AUR git or AUR stable
2. Install the application you want to sandbox (for example, firefox)
3. Run GUI. (should be found under name Bubblejail Configuration)
4. Press 'Create instance' button at the bottom.
5. Select a profile. (for example, firefox)
6. Optionally change name
7. Press 'Create'
8. The new instance is created along with new desktop entry.

Command-line utility documentation

See man page:

man 1 bubblejail

Usage examples

Create new instance using firefox profile

bubblejail create --profile firefox FirefoxInstance

Run instance

bubblejail run FirefoxInstance

Create a generic instance without a desktop entry

bubblejail create --no-desktop-entry --profile generic Test

Available services

• common: settings that are not categorized
• x11: X windowing system. Also includes Xwayland.
• wayland: Pure wayland windowing system.
• network: Access to network.
• pulse_audio: Pulse Audio audio system.
• home_share: Shared folder relative to home.
  • home_paths: List of path strings to share with sandbox. Required.
• direct_rendering: Access to GPU.
  • enable_aco: Boolean to enable high performance Vulkan compiler for AMD GPUs.
• systray: Access to the desktop tray bar.
• joystick: Access to joysticks and gamepads.
• root_share: Share access relative to /.
  • paths: List of path strings to share with sandbox. Required.
• openjdk: Access to Java libraries.
• notify: Access to desktop notifications.

Available profiles

• firefox
• firefox_wayland: Firefox on wayland
• code_oss: open source build of vscode
• steam
• lutris
• chromium
• transmission-gtk
• generic: most common services, useful for sandboxing applications without profiles

TODO