Help with running bubblewrap in a Flatpak

I have this CLI mod manager that I’m packaging, and it relies on using bwrap to sandbox package installation, so mod installation can’t somehow wipe out the home directory or do something malicious. The problem is, you can’t run bubblewrap nested, as sandboxed applications don’t have permission to create namespaces. One option is to just disable the nested bubblewrap, but I don’t want to do that because this application needs access to the home directory, but mod installation doesn’t. Is there some way to narrow Flatpak’s sandbox for just one internal process, or something like that?

I think you can spawn a sub-sandbox via the Flatpak-Portal (Portal Documentation).

The flatpak portal exposes some interactions with flatpak on the host to the sandbox. For example, it allows you to restart the applications or start a more sandboxed instance.

The simplest solution is probably via flatpak-spawn within your sandboxed application (man flatpak-spawn).

1 Like

One thing, would it be okay to just flatpak-spawn bwrap?

this require permissions.