From Gentoo Wiki
Jump to:navigation Jump to:search
Warning, this page is a work in progress by WavyEbuilder (talk | contribs). Treat its contents with caution.

Bubblewrap is a low-level unprivileged sandboxing tool used by Flatpak. Bubblewrap makes extensive use of user namespaces in the Linux kernel to allow unprivileged users to sandbox programs.


USE flags

USE flags for sys-apps/bubblewrap Unprivileged sandboxing tool, namespaces-powered chroot-like solution

selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
suid Enable setuid root program(s)

The suid USE flag can be used to support using bubblewrap without user namespaces by setting suid on the bwrap binary.


root #emerge --ask sys-apps/bubblewrap


User namespaces can be enabled in the kernel so that suid is not required on the bwrap binary:

KERNEL Enabling user namespaces
General setup --->
  Namespaces support --->
    <*>  User namespace


Possible obstacles

User namespaces not available in the current kernel

Make sure user namespaces are enabled in the kernel or enable the suid USE flag. CONFIG_USER_NS=y

External resources