Date Created: 2025-03-29 By: 16BitMiker [ BACK.. ]
Bubblewrap (bwrap) is a powerful sandboxing utility that leverages Linux namespaces to create isolated environments for applications. Unlike virtual machines or containers, Bubblewrap focuses solely on isolation without virtualization overhead, making it lightweight and efficient for daily use.
xxxxxxxxxx# Install bubblewrap from Debian repositoriessudo apt install bubblewrapLinux kernel ≥ 4.9 with user namespaces enabled ✅
Check kernel support with:
xxxxxxxxxx# This command checks if user namespaces are enabled# If the file exists, user namespaces are supportedls /proc/self/ns/user
# For more detailed namespace information, try:ls -la /proc/self/ns/# This shows all available namespace types on your systemBubblewrap isolates applications through Linux namespaces, which partition system resources in various ways. Let's explore each type:
Mount namespaces control what filesystems are visible to processes.
xxxxxxxxxx# Basic read-only system access# --ro-bind: Mounts directories read-only for security# This allows the sandboxed app to access system binaries and librariesbwrap --ro-bind /usr /usr --ro-bind /bin /bin --ro-bind /lib /lib
# With library symlinks (Debian-specific)# This approach is more elegant as it mirrors Debian's filesystem structure# --symlink: Creates symbolic links inside the sandboxbwrap --ro-bind /usr /usr --symlink usr/lib /lib --symlink usr/lib64 /lib64User namespaces map UIDs/GIDs between the host and sandbox.
xxxxxxxxxx# Map current user to specific UID inside container# This keeps your identity but with controlled permissions# --uid/--gid: Set specific user/group IDs inside the sandboxbwrap --uid 1000 --gid 1000 bash
# Root inside container (use with caution!)# This maps your user to root inside the sandbox# Useful for some applications, but potentially dangerousbwrap --uid 0 --gid 0 bashPID namespaces create isolated process trees.
xxxxxxxxxx# Create isolated process tree# --unshare-pid: Creates a new PID namespace# --proc: Mounts a new /proc filesystem to match the isolated PID space# Without a proper /proc, many applications will malfunctionbwrap --unshare-pid --proc /proc bash
# Check isolation within the sandboxps aux # Shows only processes in sandbox, not the host systemNetwork namespaces isolate network interfaces and routing tables.
xxxxxxxxxx# Complete network isolation# --unshare-net: Creates a new network namespace with no interfaces# Result: No internet access, not even loopback (127.0.0.1)bwrap --unshare-net bash
# Shared network (internet access)# --share-net: Inherits the host's network namespace# Provides normal internet access while maintaining other isolationsbwrap --share-net bashThis example creates a secure environment for Firefox with minimal permissions.
xxxxxxxxxxbwrap \ --ro-bind /usr /usr \ --ro-bind /etc/ssl /etc/ssl \ # SSL certificates for HTTPS --ro-bind /etc/ca-certificates /etc/ca-certificates \ # Required for certificate validation --symlink usr/lib /lib \ # Standard library symlinks --symlink usr/lib64 /lib64 \ # For 64-bit libraries --ro-bind /etc/resolv.conf /etc/resolv.conf \ # DNS resolution --proc /proc \ # Process information --dev /dev \ # Device access (limited) --tmpfs /tmp \ # Temporary volatile storage --tmpfs $HOME \ # Clean home directory --bind ~/.mozilla-sandbox ~/.mozilla \ # Persistent Firefox profile in a dedicated location --bind ~/Downloads ~/Downloads \ # Access to Downloads folder --share-net \ # Allow internet access --unshare-pid \ # Process isolation --unshare-uts \ # Hostname isolation --unshare-ipc \ # IPC isolation --new-session \ # Protect against terminal escape attacks --die-with-parent \ # Clean termination when parent process ends firefoxThis configuration balances security with gaming functionality.
xxxxxxxxxxbwrap \ --ro-bind /usr /usr \ # System binaries and libraries (read-only) --ro-bind /opt /opt \ # Optional packages (often used by games) --symlink usr/lib /lib \ # Standard library symlinks --symlink usr/lib64 /lib64 \ # For 64-bit libraries --dev-bind /dev/dri /dev/dri \ # Direct Rendering Infrastructure for GPU access --ro-bind /tmp/.X11-unix /tmp/.X11-unix \ # X11 socket for display access --bind $HOME/.Xauthority $HOME/.Xauthority \ # X11 authentication --bind $HOME/.steam $HOME/.steam \ # Steam configuration --bind $HOME/.local/share/Steam $HOME/.local/share/Steam \ # Steam game library --tmpfs $HOME/.config \ # Clean config for other applications --proc /proc \ # Process information --share-net \ # Internet access for downloads and multiplayer --new-session \ # Security against terminal escape steamLinux capabilities provide fine-grained control over privileged operations.
xxxxxxxxxx# Drop all capabilities# This removes all special permissions from the sandboxed process# Provides maximum security but may limit functionalitybwrap --cap-drop ALL bash
# Keep only specific capabilities# --cap-add: Selectively restore needed capabilities# CAP_NET_BIND_SERVICE: Allows binding to ports below 1024# Useful for applications that need to run services on standard portsbwrap --cap-drop ALL --cap-add CAP_NET_BIND_SERVICE bashxxxxxxxxxx# Always use --new-session to prevent TIOCSTI attacks ⚠️# TIOCSTI attacks can inject keystrokes into your terminal# --new-session creates a new terminal session, cutting off this attack vectorbwrap --new-session bashMonitor processes within the sandbox to detect unusual behavior.
xxxxxxxxxx# Create new monitoring session# Creates an isolated environment with its own process treebwrap --unshare-pid --proc /proc bash
# Inside sandbox:# Continuously monitor processes, updating every second# grep -v PS removes the ps command itself from the outputwatch -n 1 "ps aux | grep -v PS"Useful for diagnosing permission issues in your sandbox.
xxxxxxxxxx# Use strace to monitor file operations# -f: Follow child processes# -e file: Filter for file operations only# Perfect for identifying missing file bindingsstrace -f -e file bwrap [...] 2>&1 | grep -E 'open|stat'xxxxxxxxxx# Get PID of process inside sandbox# First, identify which process you want to examineps aux | grep bwrap
# View namespace mapping# Each entry shows a different namespace type# Compare with host namespaces to verify isolationls -la /proc/PID/ns/xxxxxxxxxx# Inside sandbox:# Shows all mounted filesystems in the sandbox# Compare with host's mounts to verify isolationcat /proc/mountsCreate reusable configurations to simplify sandbox usage.
xxxxxxxxxx# Save as ~/bin/sandbox-browser# This script provides a consistent, secure environment for browsing# Make executable with: chmod +x ~/bin/sandbox-browser
exec bwrap \ --ro-bind /usr /usr \ # System files (read-only) --ro-bind /etc/ssl /etc/ssl \ # SSL certificates --symlink usr/lib /lib \ # Library symlinks --proc /proc \ # Process information --dev /dev \ # Device access --tmpfs /home \ # Clean home directory --bind ~/.sandbox-profile/browser ~/.mozilla \ # Persistent browser profile --share-net \ # Internet access --unshare-pid \ # Process isolation --unshare-ipc \ # IPC isolation --unshare-cgroup \ # Control group isolation --new-session \ # Terminal escape protection firefox "$@" # "$@" passes all arguments to FirefoxStore complex configurations in files for easier management.
xxxxxxxxxx# Create config file# Each argument on a separate line for clarity# Perfect for complex configurations that are reused frequentlycat > firefox.bwrap << EOF--ro-bind/usr/usr--symlinkusr/lib/lib--proc/procEOF
# Use config file# --args 42: The number is arbitrary but required# This loads all arguments from the filebwrap --args 42 < firefox.bwrap firefoxApp Integration: Create .desktop entries for sandboxed apps in ~/.local/share/applications/ 🖥️
Ephemeral Sessions: Use --tmpfs $HOME for truly private browsing without leaving traces 🕵️
Persistent Config: Bind ~/.sandbox-app to app config dir for clean persistence 📁
Desktop Integration: Use --bind /run/user/$UID /run/user/$UID for dbus access and desktop notifications 🔄
Container Hybrid: Export Docker images to run with bwrap for finer control over large environments 🐳
| Tool | Strength | Weakness | Best For |
|---|---|---|---|
| Bubblewrap | Lightweight, fine-grained | Manual configuration | Desktop applications |
| Flatpak | User-friendly, app store | Less flexible | Everyday software |
| Firejail | Easy profiles | Less actively maintained | Quick sandboxing |
| Docker | Ecosystem, packaging | Resource overhead | Development, services |
Flatpak Documentation (uses Bubblewrap internally)
Bubblewrap offers a powerful way to enhance security through isolation without the overhead of traditional virtualization. By leveraging Linux namespaces, it provides fine-grained control over what resources applications can access. While it requires more manual configuration than alternatives like Flatpak, this flexibility makes it perfect for power users who need precise control over their application environments.
As security threats continue to evolve, application sandboxing becomes increasingly important, even on desktop systems. Investing time in learning Bubblewrap's capabilities can significantly improve your system's security posture while maintaining full functionality for trusted applications.