From ArchWiki

Sandbox escapes through X11 and DBus

Various of the examples forward the X11 or DBus sockets without any kind of filtering. I believe this allows for sandbox escapes (see e.g.,

At the minimum those weaknesses should be mentioned (EDIT: The X11 weakness is already mentioned in the main Bubblewrap article, but not the DBus one). Ideally safe configurations should be provided (for X11: either avoiding X11 forwarding altogether or using Xephyr/Xpra, for DBus: using xdg-dbus-proxy).

—This unsigned comment is by Joanbrugueram (talk) 02:30, 22 January 2023. Please sign your posts with ~~~~!