Question 1

How to set up a basic sandbox with bubblewrap?

Accepted Answer

Use command-line options like --ro-bind to mount directories read-only and --unshare-pid for process isolation. The README provides a demo script that binds /usr and creates a tmpfs root, but you must manually define all mounts and namespaces for security.

Question 2

Bubblewrap vs Docker for unprivileged containers?

Accepted Answer

Bubblewrap is a minimal sandboxing tool focused on security for unprivileged users, while Docker is a full container platform with image management and root privileges by default. Bubblewrap is better for lightweight isolation without root, but Docker offers more features for orchestration.

Question 3

Is bubblewrap secure for desktop applications?

Accepted Answer

Yes, but only if configured correctly. The README warns that improper arguments, like not using --new-session or binding D-Bus sockets, can lead to privilege escalation. It's often used with frameworks like Flatpak to handle these details.

Question 4

Can bubblewrap run OCI containers?

Accepted Answer

Not directly; bubblewrap is a low-level sandboxing tool, while OCI runtimes like runc are designed for standard container images. However, projects like bwrap-oci adapt bubblewrap for OCI, but it's not a native feature.

Question 5

How to handle D-Bus in bubblewrap sandboxes?

Accepted Answer

You need to use external tools like xdg-dbus-proxy to filter D-Bus communication, as bubblewrap doesn't include built-in support. The README mentions this in the Limitations section to prevent command execution via systemd.

Question 6

What are the main limitations compared to user namespaces?

Accepted Answer

Bubblewrap implements only a subset of user namespaces, such as lacking control over iptables, and relies on setuid for compatibility. The README cites security concerns like CVE-2016-3135 as reasons for this approach.

bubblewrap

What is bubblewrap?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions