Bubblejail

Thoughts on bubblejail? It’s very easy to use and seems to work very well.
Links

I’m editing/bumping this because it’s been a few months and I think that this is pretty good and should be considered for the sandboxing article.

Here’s how a profile for Brave looks like:

[common]
executable_name = "/usr/bin/brave"
share_local_time = false
filter_disk_sync = false
dbus_name = ""

[wayland]

[network]

[pulse_audio]

[home_share]
home_paths = [
    "Downloads",
    ".config/BraveSoftware",
]

[direct_rendering]
enable_aco = false

[v4l]

[namespaces_limits]
user = 4
mount = 0
pid = -1
ipc = 0
net = 1
time = 0
uts = 0
cgroup = 0

[debug]
raw_bwrap_args = [
    "--setenv",
    "GTK_THEME",
    "Breeze",
    "--setenv",
    "QT_QPA_PLATFORMTHEME",
    "qt6ct",
    "--setenv",
    "GSETTINGS_BACKEND",
    "keyfile",
    "--ro-bind",
    "/home/user/.config/gtk-3.0",
    "/home/user/.config/gtk-3.0",
    "--ro-bind",
    "/home/user/.config/gtk-4.0",
    "/home/user/.config/gtk-4.0",
    "--ro-bind",
    "/home/user/.config/qt5ct",
    "/home/user/.config/qt5ct",
    "--ro-bind",
    "/home/user/.config/qt6ct",
    "/home/user/.config/qt6ct",
    "--ro-bind",
    "/home/user/.config/brave-flags.conf",
    "/home/user/.config/brave-flags.conf",
]
raw_dbus_session_args = [
    "--talk=org.freedesktop.portal.Desktop",
]
raw_dbus_system_args = []

You can also create/edit profiles via the GUI.

What is not easy about firejail?

Just sudo dnf install firejail && sudo firecfg and you’re done.

(disclaimer: am (past) maintainer of firejail)

I mean bubblejail has 7 pre-made profiles, firejail has ~1296. How is the latter not easier?

I’ve found making custom profiles more difficult with Firejail. Looking at the GUI configuration wizard, it’s not obvious how to share custom directories with the sandboxed program. It’s also not obvious how to save the desktop file from that particular profile, where it’s saved to and how to launch it, while bubblejail will immediately create a desktop file in .local/share/applications (most obvious directory possible) that specifies “bubble” in the title and filename. The bubblejail GUI configuration program will also list the available permissions that you can set in a very comprehensible manner - it’s missing a few things but I give it a 9/10 from my experience so far. The firetools program is also certainly not the best designed. Even now I cannot figure out how to make it do anything, as clicking the icons (presumably for created profiles) seem to do nothing.

1 Like

Please give my firejail tutorial a watch: https://divested.dev/videos/Firejail-20210101.1080p.m4v

2 Likes

I edited the post and it wasn’t bumped (:sweat_smile:) so I’ll reply here to ask the team to consider mentioning bubblejail in the Linux sandboxing guide.