Talk:Bubblewrap

• Expand upon Bash example as a means to verify the contents of the sandbox filesystem.
• Explain why bubblewrap does not automatically create user namespaces when running with setuid privileges: bubblewrap drops all capabilities within a sandbox such that child tasks cannot gain greater privileges than its parent. The creation of a user namespace adds the SYS_CAP_ADMIN capability to sandboxed processes. The risk of providing SYS_CAP_ADMIN must be weighed against the benefit of isolating user-specific information (e.g. UID/GID) within a user namespace.

-- Adamlau (talk) 07:56, 17 January 2017 (UTC)Reply

user namespaces only add SYS_CAP_ADMIN inside the namespace and bubblewrap drops all caps again before executing the sandboxed process. Since namespaces are designed to be used by unprivileged users by utilising user namespaces, this will actually be much safer then using it without user namespaces. Best case would be to use bwrap on a kernel with unprivileged user namespaces available, to allow it's use without suid. The actual reason bwrap does not use user namespaces by default when running with suid, is that there are some rare use cases that only work outside a user namespace. Those use cases already do not work when bwrap is not installed with suid. Valoq (talk) 10:14, 21 January 2017 (UTC)Reply

• Introduce seccomp filter generation through libseccomp and include example --seccomp usage.

-- Adamlau (talk) 07:56, 17 January 2017 (UTC)Reply

• Further differentiate examples? Is goal min examples with max diff? Or simply max examples regardless of duplicated options/values?

-- Adamlau (talk) 06:24, 20 January 2017 (UTC)Reply

• Introduce basic seccomp-bpf filters to restrict specific syscalls. Adamlau (talk) 18:45, 10 July 2020 (UTC)Reply
• Look into xdg-dbus-proxy as a currently maintained solution under Opening URLs from wrapped applications Adamlau (talk) 19:04, 10 July 2020 (UTC)Reply

Would someone be willing to write a new section to describe how to launch Wine applications under bwrap? It seems like a more common use case than, say, skype-for-linux, and not giving much permissions to a Windows binary in your system is very attractive. --Icar (talk) 08:58, 7 July 2021 (UTC)Reply

As it stands the X11 sandboxing on the page seems a lot more subjectively biased towards wayland than it should be. X11 is not "entirely insecure" for example. It would be best if it were reworded, still recommending wayland over X11, but without the fearmongering. See Firejail's X11 section for one that's written better. Nexrem (talk) 08:34, 8 April 2025 (UTC)Reply

I've done [1]. Have a go at re-wording the section towards what you consider more neutral yet informative. --Indigo (talk) 17:52, 9 April 2025 (UTC)Reply

I have reworded the section [2]. I think this is a lot more informative and clear. Wayland is clearly pointed out as not having this issue, while not being pushed for. The reader should decide on their own what technology they should use. This stance should remain until X11 is officially discontinued.

PS: I believe there should be something on the X11 SECURITY extension. Nexrem (talk) 23:37, 9 April 2025 (UTC)Reply

Ok.[3] I know xcsecurity was enabled sometime in the server package. If you think it has useful conf options to cover in the Xorg article, please go ahead and crosslink it from this one. Or does bwrap make particular use of the extension? --Indigo (talk) 17:24, 10 April 2025 (UTC)Reply

I am personally not well versed with XSECURITY. I have read in different forums (gentoo) about hardening methods that utilize the extension. Someone more familiar should write something about it if they could. Nexrem (talk) 20:03, 18 April 2025 (UTC)Reply