#How to use Bubblejail?

I can't really find any instructions on how to use bubblejail. I have created an instance via the UI but I don't know how to add a program to that instance.

I assumed all programs were already bubblejailed, or am I wrong to assume that..?

I'm pretty sure that's not the case. If so, how would you manage the permissions for each program, if you don't create an instance first

yes, very wrong

bubblejail is preinstalled for convenience, but it doesn't even work ootb

as it requires unprivileged, unconfined user namespaces

which are a security risk

oh 🤔 so regular rpms don't have any more sandboxing than on regular Silverblue?

yup

use flatpaks 🙂

hm I see, well it's still good to have all the other security things

what you're describing is a fundamental flaw in desktop linux security (and desktop OSes in general)

your best bet is to move as much as possible to a model resembling android

"lock down" the system, and use applications that are sandboxed

also I should mention @gentle swan that Trivalent isn't sandboxed per se but is relatively strongly confined by SELinux

so if something isn't a flatpak, using a Trivalent PWA is a good option

oh, good to know, thank you

np https://github.com/secureblue/secureblue/blob/live/files/scripts/selinux/trivalent/trivalent.te

I just hope a Discord PWA would have the same notifications as the desktop app
and that they wouldn't be muted

the policy if you're interested^

it doesn't really, iirc

not even if you manually enable notifications for the Discord website?

oh

then it might

idk

i keep notifs off 😄

otherwise it would be buzzing all day

yeah I'll try it out tomorrow when I finally get the time to install Secureblue for real

I filter them to be just personal messages and stuff cuz of "what if it's something important" which it has been a lot more times than I thought hah

So to answer my original question: Could you send me a guide on how to use bubblejail. Because the program I wanna install doesn't have an official flatpack. So I guess installing the official non-flatpack version would still be better than the unofficial flatpack.

I'm not aware of a bubblejail guide

the unverified flatpak may be preferable

it depends

on?

on what you're trying to protect against and whether you're comfortable subscribing to and reading changes to the unverified flatpak manifest

in general I'd personally prefer the unverified flatpak

it also depends on the app

as for some app there is no "verified" way to use it at all on fedora

like steam

whether you use the rpm, the arch package, or the flatpak, it's all unverified

because valve only publishes a deb

As I'm not really an IT person, I don't think I will get much from reading the flatpak manifest. I would just prefer what is generally the safest option. I'm planning to install this https://apps.ankiweb.net/#downloads And the flatpak here seems to be community built https://flathub.org/apps/net.ankiweb.Anki

I personally don't have the expertise to judge what's the better option, that's why I'm asking

@tender ledge ?

hi 🙂

Wouldn't something like this help you ?

https://discuss.privacyguides.net/t/sandboxing-apps-with-bubblejail-in-arch-distros/23004

like I said above, I'd personally prefer using the flatpak

but it would be best with a degree of checking the flatpak manifest

Alright, thanks for the help

GoofCord is good

It's on flathub

I've been told that even Discord's official flatpak client is less secure than a Discord PWA, so Goofcord is probably the same

Yeah, ideally use the official client for the best functionality, or the PWA for security, everything else sacrifices one of these two or both, also risks your account

PWA doesn't break TOS tho

and with the pending IPO i suspect they might start changing their tune on that

GoofCord has privacy features at least

And use Wayland

so does the PWA

since Trivalent does

I did this with Bitwarden

I'm using the Web vault and the Extension

Because Bitwarden Flatpak client is just X11

Sadly

A password manager without screen protection

"A secure and free password manager for all of your devices"

For me it's just really secure on Android

same goes for most messengers as well

Yeah

But the password manager is even more sensitive

At least the extension has his beauty

Is this setup safe? How much an profile/user on Chromium is isolated?

I called this profile "Vault", but how much is it? Lol

what are trying to prevent by using multiple profiles?

a website exploiting the extension?

Browser fingerprinting

I don't want websites I navigate seeing this extensions

they can't, just disable the extension's access to those sites

Manual proccess?

or block general site access and make it click-to-allow

Whitelist mode is not good for me

The first time I open the website will see the extension

Just like Incognito accessed will be "protected" in this case

websites only see the extension if the extension makes it's presence known, or an exploit in the engine which is a bigger issue

what?

Using multiple profiles seems not useful to you?

Is it possible?

? @brazen horizon is trying to explain it to you .....

it is

not for this specific purpose

Ok, is there any use case?

for multiple profiles?

Yea

Because I do this on Android

For example

So I have this need to isolate things

It's already part of how I organize my digital life