Feel good security with bubblewrap

It's a dangerous world out there and today I got blocked by my own cairn running this page because my publishing frontend didn't correctly close its titan sockets running into a per IP connection limit I implemented.

In hindsight everything worked as it was supposed to but my first thought was I had a server bug or had been careless enough to have the server crash through some script kid or what not. All is good but it got me thinking about the dangers of running around having skiff parse stuff from all over gemini and the web in general.

With this refreshed interest in self protection I quickly learned to use bubblewrap[1] to at least somewhat limit the damage potential. I could have opted for firejail instead but bwrap was already installed and unlike firejail does not require setuid.

A bit trial and error but basically just some --ro-bind (quite a few), mounting of proc and dev then using --tmpfs for $HOME and carefully bind mounting only stuff I want exposed finishing off with --unshare-pid and --die-with-parent.

Sure its not perfect, but it's better than nothing.

[1]

---

Reply by email

Back

Home

Proxied content from gemini://nthcdr.eu/blog/2026-05-15-feel-good-security-with-bubblewrap.gmi (external content)

Gemini request details:

Original URL
gemini://nthcdr.eu/blog/2026-05-15-feel-good-security-with-bubblewrap.gmi
Status code
Success
Meta
text/gemini
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.