| Name | Size |
|---|---|
| LICENSE | 1072B |
| PKGBUILD | 496B |
| README.md | 2713B |
| includes/a11y | 98B |
| includes/audio | 106B |
| includes/base | 129B |
| includes/default | 59B |
| includes/gui | 525B |
| includes/host-os | 188B |
| includes/locale | 263B |
| includes/network | 93B |
| includes/portal | 203B |
| xiwrap.py | 11804B |
xiwrap - slightly higher-level container setup utility
xiwrap is a thin wrapper around bwrap that adds some features:
- configuration can be included from files. This allows to create a library of reusable modules.
- xdg-dbus-proxy is integrated to allow dbus filtering.
Example usage
xiwrap --include host-os --dbus-talk org.freedesktop.portal.Desktop -- bash
See xiwrap --help for a full list of options.
Security disclaimer
I am not an expert and this project is meant more for learning and experimenting than for production use.
Why another tool?
Linux has great low-level sandboxing features. However, I feel like we have not yet found the right high level abstraction. Docker, systemd, and flatpak are all great, but I think we can do better.
There is a sprawling, messy ecosystem of tools (mostly centered around bwrap and firejail) that experiment with alternative designs. I think this is great. We have to allow for some creative chaos to come up with great designs. xiwrap is my contribution to that mess.
The real goal is to find a set of reusable, easy-to-understand configuration modules. xiwrap is only a tool that allows me to easily iterate on those modules.
Why not flatpak?
flatpak is a mature and well established project that also uses bwrap and xdg-dbus-proxy. I actually really like the high level permissions they have been building.
However, flatpak does much more than just sandboxing. With flatpak, libraries are not managed centrally, but come bundle with each app. As a result, they are often redundant or even outdated. This is because flatpak's main goal is to simplify packaging for Linux. Their vision is that users get their apps directly from developers instead of going through distros. Sandboxing is a necessary condition for that vision, but not a goal in itself. Much of the criticism flatpak received ([1] [2]) is targeted at this second aspect.
So you can think of xiwrap as an attempt to build something that has all of flatpak's sandboxing features, but none of the rest. Not because flatpak is bad, but because strong, usable sandboxing is also useful in the context of a traditional distro.
Prior Art
- https://github.com/flatpak/flatpak/issues/3638
- https://wiki.archlinux.org/title/Bubblewrap/Examples
- https://github.com/ruanformigoni/flatimage/
- https://github.com/netblue30/firejail
- https://github.com/igo95862/bubblejail