[Request] bottles sandboxing with bubblewrap/flatpak-spawn (experiment)

[mirkobrombin]

Is your feature request related to a problem?
Currently Bottles provides two type of sandboxing: the one coming with Flatpak which confine the whole software and the unlinked which remove symlinks between homedir and userdir.

Only the first one can be controlled, giving more permissions to the whole Flatpak. However, this does not allow you to assign remove permissions to the individual bottle, for example, preventing access to the network.

Describe the solution you'd like
Uaing bubblewrap (or maybe others) to confine each bottle with custom tweakable permissions.

Additional context
Steam does a similar process with it's sandboxing.

[trymeouteh]

Would like to see options to sandbox bottles to not have access to things such as...

Network/Internet
Mic
Webcam
Speaker
Bluetooth
Directories (Can only access whitelisted directories outside of the bottle)

[mirkobrombin]

Working on

[mirkobrombin]

bwrap doesn't work under flatpak, I think a wrapper that supports both bwrap and flatpak-spawn is needed

[mirkobrombin]

Implemented as experimental feature.