Bubblewrap

From Gentoo Wiki
Jump to:navigation Jump to:search
Warning, this page is a work in progress by WavyEbuilder (talk | contribs). Treat its contents with caution.

Bubblewrap is a low-level unprivileged sandboxing tool used by Flatpak. Bubblewrap makes extensive use of user namespaces in the Linux kernel to allow unprivileged users to sandbox programs.

Installation

USE flags

USE flags for sys-apps/bubblewrap Unprivileged sandboxing tool, namespaces-powered chroot-like solution

selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
suid Enable setuid root program(s)
Data provided by the Gentoo Package Database · Last update: 2023-08-09 18:14 More information about USE flags

The suid USE flag can be used to support using bubblewrap without user namespaces by setting suid on the bwrap binary.

Emerge

root #emerge --ask sys-apps/bubblewrap

Kernel

User namespaces can be enabled in the kernel so that suid is not required on the bwrap binary:

KERNEL Enabling user namespaces
General setup --->
  Namespaces support --->
    <*>  User namespace

Troubleshooting

Possible obstacles

User namespaces not available in the current kernel

Make sure user namespaces are enabled in the kernel or enable the suid USE flag. CONFIG_USER_NS=y

External resources

Retrieved from "https://wiki.gentoo.org/index.php?title=Bubblewrap&oldid=1292107"