0.9.2

Features

• Access to CPU topology under /sys/devices/system/cpu is now provided by default. A lot of modern applications makes use of it. (Chromium, WINE...) Steam profile already used root share service to pass /sys/devices/system/cpu. This change should compatible with existing Steam instances.

Fixes

• Fixed Nvidia graphics not working with direct_rendering service. The recent 500+ driver requires access to the /sys/module/nvidia/initstate file. (reported by @consolation548 and tested by @gnusenpai)

0.9.1

Features

• New icon designed by @gelatinbomb

Fixes

• Fix WebKit built-in sandboxing not working.
• Fix missing comma in default syscall filter preventing certain filters from working. (contributed by @rusty-snake)

0.9.0

Changes since 0.8.3

Major build changes!

• New dependency! python-lxns is a Python library to control Linux kernel namespaces. For convenience the library is available as a meson subproject and is bundled in source archive. Set use-vendored-python-lxns build option to true to enable meson subproject. If you are a distro maintainer it is recommended to package python-lxns independently and mark it as dependency.
• allow-site-packages-dir was removed. Unfortunately it is impossible to control Python packages install dir with meson. If you still want to install bubblejail in to site-pacakges you can either patch meson.build or use meson rewrite kwargs delete project / default_options "" command in source prepare step.
• bytecode-optimization build option is replaced with meson's native python.bytecompile. Most distros meson wrappers already set this option.
• tomli support has been dropped. tomlib from Python 3.11 standard library is the only supported TOML reading library. (note that tomli-w is still a requirement)

Features

• Source code licensing is now verified with REUSE.
• Log messages now always use stderr.

Fixes

• Fix bubblejail-config GUI utility not using its icon. (reported by @boredsquirrel and @rusty-snake)
• Fix Chromium and Firefox profiles not working on certain distros because of diverging desktop entry names. (reported by @boredsquirrel)
• Fix instance being left in inoperable state if D-Bus proxy failed to initialize.
• Fix namespaces_limits service sometimes failing because of concurrency races
  with sandboxed PID.
• Fixed several typos and added codespell to the CI.

0.9rc1

0.9rc1

Major build changes!

• New dependency! python-lxns is a Python library to control Linux kernel namespaces. For convenience the library is available as a meson subproject and is bundled in source archive. Set use-vendored-python-lxns build option to true to enable meson subproject. If you are a distro maintainer it is recommended to package python-lxns independently and mark it as dependency.
• allow-site-packages-dir was removed. Unfortunately it is impossible to control Python packages install dir with meson. If you still want to install bubblejail in to site-packages you can either patch meson.build or use meson rewrite kwargs delete project / default_options "" command in source prepare step.
• bytecode-optimization build option is replaced with meson's native python.bytecompile. Most distros meson wrappers already set this option.
• tomli support has been dropped. tomlib from Python 3.11standard library is the only supported TOML reading library.

Features

• Source code licensing is now verified with REUSE.
• Log messages now always use stderr.

Fixes

• Fix bubblejail-config GUI utility not using its icon. (reported by @boredsquirrel and @rusty-snake)
• Fix Chromium and Firefox profiles not working on certain distros because of diverging desktop entry names. (reported by @@boredsquirrel)
• Fix instance being left in inoperable state if D-Bus proxy failed to initialize.
• Fix namespaces_limits service sometimes failing because of concurrency races with sandboxed PID.
• Fixed several typos and added codespell to the CI.

0.8.3

Features

• Add debug service which can be used to add arguments to bwrap
  and xdg-dbus-proxy invocations. See bubblejail.services man page
  for its configuration keys and values. (requested by @xiota)
• Document directories used by bubblejail in bubblejail man page.
  (requested by @firefoxlover)

Fixes

• Mount file pointed by symlink if /etc/resolv.conf is a symlink when network
  service is used. This fixes DNS issues when systemd-resolved is used.
  (first reported by @adworacz)
• Fixed joystick description not being complete. (reported by @xiota)
• Fixed PYTHONPYCACHEPREFIX environment variable breaking build system.
  (first reported by mlj on AUR)

0.8.2

Fixes

• Fix slirp4netns service sometimes failing because of wrong user namespace
  being passed. (reported by @xiota)
• Fix bubblejail sometimes continuing to run even if some service failed to
  initialize. (reported by @xiota)
• Fix typo in the generic.toml profile file. (contributed by @I-Al-Istannen )

0.8.1

Features

• Added support for tomllib standard library package for reading TOML files.
  It is available since Python 3.11. tomli package is now only needed if
  running on Python 3.10. (note that TOML writing library tomli-w is still
  required)
• Using run command on an already running instance now prints a message to stderr
  that the instance already running and the commands that will be sent to instance.
• Tightened D-Bus filtering rules for Notifications and Systray services. Turns out
  a lot of D-Bus servers for those services expose too many interfaces than required.
  (thank you @rusty-snake for pointing this out)

Fixes

• Fixed trying to create config directories on access. If a system wide directory was
  missing like /etc/bubblejail/profiles/ bubblejail would fail to run.
  (reported by @rusty-snake)
• Removed isolated python mode for build scripts. This makes it easier to build bubblejail
  when meson or Python is installed in non system directory. (fixed with the help of @eli-schwartz)
• Fixed slirp4netns initialization failure being ignored. Now if slirp4netns fails to
  start bubblejail will also fail. (reported by @xiota)
• Fixed running bubblejail without arguments raising exception instead of help text.
  (fixed by @rusty-snake)
• Fixed namespaces_limits initialization failure being ignored. Now if namespaces_limits
  fails to set namespace limits bubblejail will also fail. (reported by @rusty-snake)

0.8.0

Known Issues

• GUI has been ported to Qt6. After porting some text elements appear to be washed out. See issue #57
• Certain services only available to x86_64 platform. (slirp4netns and namespaces_limits)
• slirp4netns and namespaces_limits can conflict with each other because slirp4netns tries to switch to new mount namespace.

Changelog since 0.7.0

Added namespaces_limits service

Linux namespaces are a powerful instruments that can be used to create
sandboxes but it also exposes internal kernel interfaces to unprivileged users
which can be a source of vulnerabilities. (for example CVE-2022-25636)

New service namespaces_limits will limit amount of namespaces that
could be created inside sandbox.

It has user, mount, pid, ipc, net, time, uts and cgroup
settings which corresponds to each type of namespace. Those settings take
an integer as value with 0 (default) completely disabling creating that
type of namespace, -1 allowing unlimited amount and any positive integer
sets limit to that number. The positive integer is useful in case your application
will only create a limited number of namespaces.

Profiles might receive a well tested namespaces limits in the future version.

Dependenices changes

• GUI has been ported to PyQt6.

Build changes

• Fixed libseccomp and python-xdg being required during build.
• Added meson option to disable man page build and installation.
• Added meson install tags. Current tags are runtime for core files and CLI tool,
  bubblejail-gui for gui configuration tool, fish-completion/bash-completion
  for shell autocompletion and man for man pages.
  (thank you @gordon-quad)

Fixes

• Fixed X11 multi-screen not working. (the single screen spanning multiple displays already works)
  (thank you @gxtu)

0.8.RC2

Changes since 0.8.RC1

Fixes

• Fixed GUI not working because of integer settings that namespaces_limits
  uses.

0.8.RC1

Added namespaces_limits service

Linux namespaces are a powerful instruments that can be used to create
sandboxes but it also exposes internal kernel interfaces to unprivileged users
which can be a source of vulnerabilities. (for example CVE-2022-25636)

New service namespaces_limits will limit amount of namespaces that
could be created inside sandbox.

It has user, mount, pid, ipc, net, time, uts and cgroup
settings which corresponds to each type of namespace. Those settings take
an integer as value with 0 (default) completely disabling creating that
type of namespace, -1 allowing unlimited amount and any positive integer
sets limit to that number. The positive integer is useful in case your application
will only create a limited number of namespaces.

Profiles might receive a well tested namespaces limits in the future version.

Dependenices changes

• GUI has been ported to PyQt6.

Build changes

• Fixed libseccomp and python-xdg being required during build.
• Added meson option to disable man page build and installation.
• Added meson install tags. Current tags are runtime for core files and cli tool,
  bubblejail-gui for gui configuration tool, fish-completion/bash-completion
  for shell autocompletion and man for man pages.
  (thank you @gordon-quad)

Known issues

• slirp4netns and namespaces_limits can conflict with each other because
  slirp4netns tries to switch to new mount namespace.
• Namespaces functions only work on x86_64 platform.