It's the base for Flatpack, the thing that makes Flatpack be sandboxed.
I use it to run Claude Code / Codex / Gemini CLI, to make sure that they have a limited / fake view of my system.
You can bind directories into it, or overlay them into it, restrict other kinds of access.
If Docker is a thing in a scale between a VM and your OS, Bubblewrap is a thing a scale between Docker and your OS. You use your OS, instead of installing and managing an OS like you do with Docker, but you get filesystem and process isolation like with Docker.
Though I had an issue where I cannot use `--new-session`, which is kind of dangerous to not use, but you can get around it if you use seccomp to block ioctl calls, and ptrace.
I documented what I came up with for Claude Code: https://blog.gpkb.org/posts/ai-agent-sandbox/ However, I couldn't get this to work for Codex, it kept failing at the auth bit and I couldn't figure out how to fix it. Anyone got a working solution for Codex?
How do you know what permissions are required by an application, to write a bubblewrap script?
In AppArmor, you exercise the application and aa-logprof suggests permissions requested by application. If you know AppArmor, usually you can refine those suggestions and write a profile. It may not be ideal, as aa-logprof’s permissions are multiple choice suggestions, require user knowledge and may be too broad or specific, but it could work. You will see that there are many and all kinds of permissions, and there is no way that you will be able to guess them without aa-logprof.
What is the equivalent of aa-logprof in bubblewrap and how do you find the required permissions?
bubblewrap escapes are not unheard of. Infact, it's a common theme that the general linux landscape lacks strong sandboxing, even if you use bwrap, firejail, etc. Especially linux desktop, a security firehazard to say the least unless you are using QubesOS
https://github.com/containers/bubblewrap
It's the base for Flatpack, the thing that makes Flatpack be sandboxed.
I use it to run Claude Code / Codex / Gemini CLI, to make sure that they have a limited / fake view of my system.
You can bind directories into it, or overlay them into it, restrict other kinds of access.
If Docker is a thing in a scale between a VM and your OS, Bubblewrap is a thing a scale between Docker and your OS. You use your OS, instead of installing and managing an OS like you do with Docker, but you get filesystem and process isolation like with Docker.
Though I had an issue where I cannot use `--new-session`, which is kind of dangerous to not use, but you can get around it if you use seccomp to block ioctl calls, and ptrace.