https://github.com/jellyterra/bwrapman

Sandbox with permission control in profile like Flatpak.
https://github.com/jellyterra/bwrapman

bwrap flatpak sandbox

Last synced: 5 months ago
JSON representation

Sandbox with permission control in profile like Flatpak.

• Host: GitHub
• URL: https://github.com/jellyterra/bwrapman
• Owner: jellyterra
• License: mit
• Created: 2024-06-07T16:55:14.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2025-06-04T16:54:59.000Z (about 1 year ago)
• Last Synced: 2025-09-22T10:45:47.576Z (9 months ago)
• Topics: bwrap, flatpak, sandbox
• Language: Rust
• Homepage:
• Size: 14.6 KB
• Stars: 3
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# bwrapman

Bubblewrap profile launcher.

Aims to be an alternative to Flatpak sandbox.

It generates sandbox options for Bubblewrap, which Flatpak does as well.

If DBus is enabled in profile, it launches a process for proxying D-Bus messages.

## Install

### Download [binary releases](https://github.com/jellyterra/bwrapman/releases)

### Build from source

```shell

cargo install bwrapman

```

## Usage

```

bwrapman (profile) (executable) [args ...]

```

```shell

bwrapman dev.toml bash -c "echo Okay"

``` 

### Requirement

- bwrap

- [xdg-dbus-proxy](https://github.com/flatpak/xdg-dbus-proxy)

## Profile

### Profile schema

```rust

pub struct Config {

    pub share_user: bool,

    pub share_ipc: bool,

    pub share_pid: bool,

    pub share_net: bool,

    pub share_uts: bool,

    pub share_cgroup: bool,

    pub share_dev: bool,

    pub share_wayland: bool,

    pub share_x11: bool,

    pub share_env: bool,

    pub keep_alive: bool,

    pub bind: Option>,

    pub dev_bind: Option>,

    pub symlink: Option>,

    pub env_pass: Option>,

    pub env: Option>,

    pub unset: Option>,

    pub procfs: Option,

    pub tmpfs: Option>,

    pub uid: Option,

    pub gid: Option,

    pub hostname: Option,

    pub dbus_proxy: Option,

}

pub struct BindConfig {

    pub src: String,

    pub dest: String,

    pub no_fail: bool,

    pub rw: bool,

}

pub struct DBusProxyConfig {

    pub own: Vec,

    pub talk: Vec,

}

```

### Example

```toml

# Enable internet.

share_net = true

# Enable IPC.

share_ipc = true

# Pass all environment variables to the sandbox.

share_env = true

# Share Wayland socket.

share_wayland = true

# Share X11 socket and authority file.

share_x11 = true

procfs = "/proc"

# Mount tmpfs on /tmp

# Which will override /tmp/.X11-unix but may not affect X11 connection.

tmpfs = ["/tmp"]

[[bind]]

src = "/sandbox"

dest = "/sandbox"

# Read-write permission.

rw = true

[[bind]]

src = "/etc"

dest = "/etc"

[[bind]]

src = "/opt"

dest = "/opt"

[[bind]]

src = "/sys"

dest = "/sys"

[[bind]]

src = "/usr"

dest = "/usr"

[[bind]]

src = "/usr/bin"

dest = "/bin"

[[bind]]

src = "/usr/lib"

dest = "/lib"

[[bind]]

src = "/usr/lib64"

dest = "/lib64"

[[bind]]

src = "/nix"

dest = "/nix"

# Try binding mount or ignore on failure.

no_fail = true

[[dev_bind]]

src = "/dev"

dest = "/dev"

[dbus_proxy]

own = []

talk = ["com.canonical.AppMenu.Registrar.*"]

```