sandboxing Wayland applications

I like sandboxing Linux applications. Tools like bubblewrap and Bubblejail make this easy, building on Linux namespaces.

This works well for command line applications, but sandboxing graphical applications is harder. A graphical Wayland application needs to access the Wayland socket to handle its windows. The Wayland socket gives access to sensitive data like screen contents. You might want to restrict this. With the security_context protocol, you can.

Instead of mounting the normal Wayland socket into the sandbox, mount a socket that has the security context applied. You can create such a socket with way-secure. This makes Wayland applications work safely.

I mainly wanted to write about the Wayland socket in this post because there isn't much awareness of the bubblewrap plus way-secure approach. The Wayland socket is not everything. The application can show a window, but other desktop application features are missing. This is the same problem that Flatpak solves with tools like XDG Desktop Portal. You can reuse some of the Flatpak tools and approaches. Bubblejail does this to some degree but needs more polish.