I’ve found making custom profiles more difficult with Firejail. Looking at the GUI configuration wizard, it’s not obvious how to share custom directories with the sandboxed program. It’s also not obvious how to save the desktop file from that particular profile, where it’s saved to and how to launch it, while bubblejail will immediately create a desktop file in .local/share/applications (most obvious directory possible) that specifies “bubble” in the title and filename. The bubblejail GUI configuration program will also list the available permissions that you can set in a very comprehensible manner - it’s missing a few things but I give it a 9/10 from my experience so far. The firetools program is also certainly not the best designed. Even now I cannot figure out how to make it do anything, as clicking the icons (presumably for created profiles) seem to do nothing.
Hey there, I realize I’m a little late to the party on this post but I’m a regular lurker on the forum and just wanted to give my input on Bubblejail since I have used it over the past couple weeks and I wanted to give a review on it for people who might be interested.
First and foremost, I believe the source from which you download and install will greatly decide how much it’s worth to you. Since I run Arch Linux as my daily I download from the user repository and just built it that way. This is the best method in my opinion. I tried building the package manually on both Debian and Void and ran into issues both times. I couldn’t even install it on Debian, as there was an installation error. On Void, the installation went through correctly but for whatever reason the bubblejail config GUI would never launch. I didn’t stick around to try and find a solution to the problem either as I could care less really. As I said, my main distro is Arch. Also there’s not a terribly large amount of troubleshooting talk on this bwrap front end yet. My guess is bubblejail is still highly unpopular compared to firejail. So my recommendation based on my experience is if you want a smooth install process you need to download the AUR package.
From a feature standpoint it is not as rich as firejail is. This could be good or bad depending on what you’re using it for and why. Sometimes simplicity is better. I’ve seen some “anti-firejail” detractors, for a lack of a better term, mention it’s requirement for setuid being a security liability. This is not the case for bubblewrap sandboxes. On the other hand, you can make a pretty good case for firejail’s network firewall and stack isolation as an area of advanced security bubblejail doesn’t offer.
At the end of the day I’m not really smart enough to know which compromises are worse, so I won’t pretend to tell you which is better. But I did like my user experience with bubblejail. Provided the install goes smoothly it turns bubblewrap into a very user friendly sandbox. And if all you’re wanting to do is run a traditional sandbox to restrict file systems and internet access to a particular application this is a foolproof way of doing so. BUT, if you’re using something like Firefox or Tor browser and you’re not hardening your setup with something like Whonix then firejail’s ip firewall and network stack isolation provides a way to enhance your security in a very low spec way for people who don’t have the pc juice to run virtual machines.
bubblejail does offer network stack isolation via slirp4netns. But it’s true that firejail is much more feature rich, and reading further upon the “issues with firejail” I realize that there’s a lot of misinformation and small nitpicks that aren’t nearly as severe as people make them out to be. I still prefer bubblejail as of now, but might switch some of my programs to firejail to take advantage of some of the extra features it provides.
Awesome! I might look into slirp4netns. Is their a tutorial or directions for setting it up?
Yeah I’m going to just go on record and say firejail is the sandbox I’m most comfortable with. Why? I’ve used it FOREVER compared to my small sample with bubblejail. I never got deep into the weeds of the firejail security controversy, so I’m definitely not the guy to come to for the most up to date advice. But if privilege escalation is the main concern with using it I think it would make better sense to focus on the fundamental design flaws in Linux’s graphical isolation. It’s long been known that X11’s privilege escalation is a possible vector for malicious apps to exploit code. And given the large codebase of X11 I would think this is a bigger attack point than something like firejail. I think running wayland, and xwayland for apps that don’t support native sessions, is the much better solution irrespective if someone uses sandboxes and/or MAC controls.
) so I’ll reply here to ask the team to consider mentioning bubblejail in the Linux sandboxing guide.