After a year of development, a new version of the tool for organizing isolated environments, Bubblewrap 0.9, has been released. Bubblewrap is utilized by the Flatpak project to isolate applications launched from packages. The project code is written in the SI language and is available under the lgplv2+ license.
For isolation, Linux container virtualization technologies are employed, utilizing CGROUPS, Namespace spaces, SecCPP, and SELINUX. To perform privileged operations to configure the Bubblewrap container, it is initially launched with Root (executable file with a SUID flag) followed by the discharge of privileges after completing the initialization process.
Activation of user identifiers (user namespaces) is not necessary for the tool to work, as it does not function by default in many distributions. To exclude all user identifiers and processes from the environment, the Clone_newuser and Clone_newpid modes are utilized. Additionally, programs executed by Bubblewrap are launched in PR_Set_NO_NEW_PRIVS for added protection against receiving new privileges.
File system isolation is achieved through the creation of a new Mount Namespace, where an empty root section is created using TMPFS. External file system sections can be attached in “Mount –Bind” mode if needed. Network capabilities are limited to the LOOPBACK interface with network stack isolation through the Clone_newnet and Clone_newuts flags.
A notable difference from the Firejail project is that Bubblewrap includes only the necessary capabilities in its container creation layer. Extended functions necessary for launching graphic applications, interacting with the desktop, and filtering calls to Pulseaudio are handled separately in Flatpak after privileges are discarded. This approach simplifies auditing and enhances security compared to Firejail.
In the latest release, files generated in Autotools have been removed from the package with original texts. The Meson assembly system is now recommended for assembly, with Autotools optional support to be removed in future releases.