Bubblejail
Bubblejail is a bubblewrap-based alternative to Firejail.
Description
Bubblejail's design is based on observations of Firejail's faults.
One of the biggest issues with Firejail is that you can accidentally run unsandboxed applications and not notice.
Bubblejail, instead of trying to transparently overlay an existing home directory, creates a separate home directory.
Every Instance represents a separate home directory. Typically, every sandboxed application has its own home directory.
Each instance has a services.toml
file which defines the configuration of the instance such as system resources that the sandbox should have access to.
Service represents some system resources that the sandbox can be given access to. For example, the Pulse Audio service gives access to the Pulse Audio socket so that the application can use sound.
Profile is a predefined set of services that a particular application uses. Using profiles is entirely optional.
Installation
Packages
Distro specific quirks
Manual Installation
If your distro does not have a package you can try to manually install with meson
Requirements
Build requirements
- Python 3 (>= 3.9) - python interpreter
- Jinja2 - Python template engine used during build
- Meson - build system
- scdoc - man page generator (optional)
Runtime requirements
- Python 3 (>= 3.9) - python interpreter
- Python PyXDG - XDG standards for python
- Python Tomli - TOML file support for python,
tomli
version - Python Tomli-W - writer part of
tomli
- Bubblewrap (>= 0.5.0) - sandboxing command line utility
- XDG D-Bus Proxy - filtering dbus proxy
- Python Qt6 - for GUI
- libseccomp - helper library for seccomp rules
Runtime highly recommended dependencies
- Desktop File Utils - allows new desktop entries to be registered
- notify-send - command to send desktop notification (part of
libnotify
)
Optional
- bash-completion - auto-completions for bash shell
- fish - auto-completions for fish shell
- slirp4netns - for alternative networking stack
Using meson to install
- Run
meson setup build
to setup build directory - Switch to build directory
cd build
- Compile
meson compile
- Install
sudo meson install
If you want to uninstall run ninja uninstall
from build directory.
Screenshots
Configuration utility
Quick start
- Install bubblejail from AUR git or AUR stable
- Install the application you want to sandbox (for example, firefox)
- Run GUI. (should be found under name
Bubblejail Configuration
) - Press 'Create instance' button at the bottom.
- Select a profile. (for example, firefox)
- Optionally change name
- Press 'Create'
- The new instance is created along with new desktop entry.
Usage examples
Create new instance using firefox profile
bubblejail create --profile firefox FirefoxInstance
Run instance
bubblejail run FirefoxInstance
Create a generic instance without a desktop entry
bubblejail create --no-desktop-entry --profile generic Test
Available services
- common: settings that are not categorized
- x11: X windowing system. Also includes Xwayland.
- wayland: Pure wayland windowing system.
- network: Access to network.
- pulse_audio: Pulse Audio audio system.
- home_share: Shared folder relative to home.
- home_paths: List of path strings to share with sandbox. Required.
- direct_rendering: Access to GPU.
- enable_aco: Boolean to enable high performance Vulkan compiler for AMD GPUs.
- systray: Access to the desktop tray bar.
- joystick: Access to joysticks and gamepads.
- root_share: Share access relative to /.
- paths: List of path strings to share with sandbox. Required.
- openjdk: Access to Java libraries.
- notify: Access to desktop notifications.
- ibus: Multilingual input.
- slirp4netns: Custom networking such as binding to a specific device
Available profiles
- firefox
- firefox_wayland: Firefox on wayland
- code_oss: open source build of vscode
- steam
- lutris
- chromium
- transmission-gtk
- generic: most common services, useful for sandboxing applications without profiles