A simple wrapper bash-script for Bubblewrap. Create "boxes" that serve as home directories within bwrap containers, and save Bubblewrap options in separate config files.
Git clone this repo
First, create a box: a folder that will be mounted as a home partition by Bubblewrap
./bbox.sh -b MyBox -c
Then put that box to use:
./bbox.sh -b MyBox -p __basic -p __home -r
This will run bwrap bash, with the contents of MyBox folder mounted as $HOME and some basic settings that give a usable environment.
Option -p __basic means include profile __basic. See next section for more info.
You can supply bwrap options directly like that:
./bbox.sh -b MyBox -p wine -r -- --ro-bind ~/Temp/wine-proton-8.0.4 /usr/local
The last invocation arguments for a box are saved, so if you want to use that box later without changing anything run
./bbox.sh -b MyBox -R
See help:
./bbox.sh -h
Profiles are just text files where you can write a list of options to run bwrap with:
# profiles/__basic.profile
--ro-bind /usr/bin /usr/bin
--ro-bind /usr/lib /usr/lib
--dir /etc
--ro-bind /etc/alternatives /etc/alternatives
--symlink /usr/bin /bin
--symlink /usr/lib /lib
--symlink /usr/lib/x86_64-linux-gnu /lib64
--proc /proc
--tmpfs /tmp
--dev /dev
--die-with-parent
The way these profiles are imported allows some Bash processing inside the profiles:
# profiles/__home.profile
--bind $( get_home ) $HOME
There is also a way to include profiles within other profiles:
# profiles/wine.profile
!include __basic
!include __home
--unshare-user-try
--unshare-pid
--unshare-net
--unshare-uts
--unshare-cgroup-try
--dev-bind /dev/nvidia0 /dev/nvidia0
...
profiles folder contains some pre-built profiles, including a profile to run Wine on a system with Nvidia gpu.
If you want to build your own profile for some app, try starting with __basic and __home, and then run your app within the container, paying attention to the errors. You can use strace to find out what does the app want to access when it errors out.