Looks neat, but just like the firejail guys they really need to work on their tutorial/readme/docs/manpage.<p>Many users including myself who want to play around with it get stuck trying to do basic stuff. My first try was using bwrap (not bubblewrap!) to wrap true provides this not very helpful error.<p><pre><code> $ bwrap true
execvp true: No such file or directory
</code></pre>
Looking in the webpage I see that this is what I want works<p><pre><code> ~$ bwrap --ro-bind / / true
</code></pre>
Is this what I want to do? I am not sure, maybe I want to expose just /bin/true, but I couldn't figure that out. It may be using --symlink, but the docs give no hint as to what symlink actually does. Where does it make a symlink? And when would I use it?<p><pre><code> --symlink SRC DEST
Create a symlink at DEST with target SRC
</code></pre>
Getting the default behavior right is important as is helping the user, especially for a security tool. bwrap is a tool that wraps other tools so you would expect that if I did '$bwrap true' than it would create an empty fs, expose the one binary it is going to try to run and then run it. Otherwise it is tempting to insert the following alias which may or may not be a bad security practice.<p><pre><code> bubblewrap=`bwrap --ro-bind / /`
</code></pre>
firejail gets this somewhat right where you can do 'firejail --quiet -- true' and it just works (although the fact that I have to use --quiet and it still spits out a \n is both sad and embarrassing)<p>Both projects should want to provide tools to help users accomplish the most common cases in a secure manor such as: access to 1 file, 1 directory, network access. As a user my goal isn't to use firejail it is to accomplish something else so the fact that firejail wants to spit out a bunch on stdout is a really weird design choice.<p>As a user I would want to do the following:<p><pre><code> bwrap --rofile foo.txt -- file
bwrap --rodir foo/ -- ls
bwrap --net -- curl</code></pre>