You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tobias da3d4820af clarified readme 7 months ago
examples/librefox more readable 7 months ago
LICENSE Initial commit 8 months ago clarified readme 7 months ago Added Example, Dynamic userconf and clarified readme 7 months ago


This is a tiny example for how to use bubblewrap to isolate programs into namespaced everything (except network access)

Keep in mind, this is NOT a 100% breakout-resistant thing. However it could be used to protect processes from reading files they are not supposed to see, and have them locked “good enough”.

Userdata will be persisted so you can run a separate browser instance as well. Or create a startup script inside the new home folder of the sandbox and run it via ./


Calling just a tool:

./ bash

Running an entire script in the sandbox, giving you way more code options:

./ ./

(This would call ~/



Some tools, like vscodium, use a launcher that dies when the program starts. With the script dying if the first spawned child process dies this will lead to these tools not running in this particular config. You will need to remove:


from the Script to make it work, at the risk of tools not closing when the console/program closes.

Or you could override these in a user-given file, see examples in the example/librefox folder


Steam will die if you use the “Save Password” Option, because dbus fails.

I get this could be pretty annoying to use, so instead you can:

edit the steam.desktop file

replace “Exec” with “Exec=/path/to/ ./”

And then create the file: $HOME/$YOUR_USERNAME_HERE/ with the contents:



steam -login '$YOURUSERNAME' '$PASSWORD'

(Make sure the args get escaped well if you have complex username/pw combos)

Beware, this will expose your credentials to all processes that can read your other system processes, but it does make steam login flawless and avoids the crash.