Its even worse when you force Firefox to use wayland its icon doesn't even show.
Edit: Oh since everyone now is confused; I only have the flatpak version of Firefox installed yet it doesn't use the pinned icon and doesn't even use the firefox icon under wayland at all.
bwrapis so much better without Flatpak.To start you off:
$ bwrap --dev-bind / / --tmpfs ~ bashThis basically gives you a shell in a clean virtual home directory (but no meaningful security improvement yet). You can test new builds of software as if you have only the default settings. If you need to access files, move them to
/tmp/.To see the clean virtual home directory, replace
--tmpfs ~with--bind "$(mktemp -d)" ~. You can browse it wheremktempputs it (usually/tmp/*).To start to lock down security, replace the
--dev-bindwith--ro-bind, and add various--new-session,--uid/--gid, and--unshare-all/--unshare-*flags. You can run untrusted and semi-trusted/less-trusted applications with less security risk this way (as long as you're aware of pitfalls, such as the/tmp/.X11-unix/X0socket and other possible avenues of escape).To block network access, use
--unshare-netor--unshare-all. To virtualize/devand/proc, use--dev /devand--proc /proc.Some programs might need
--dev-bind /dev/dri /dev/drifor graphics driver access, or similar constructs.EDIT: …I actually created a way to create completely portable application executables for Linux by using
bwrap(orproot, as a fallback) to virtualize a Nix root from inside an AppImage, earlier this year.bwrapoffers a lot of granularity in modifying and containing the virtual environment, to the degree that you can basically emulate an entire guest OS/distro on top of the host distro, without even needingrootprivileges— And without even needingbwrapitself to be installed, since it can work using entirely standard Linux kernel features.