Warning
This is not meant for novice users. This is for those who (1) really like sandboxed apps, (2) like to tweak the permissions of their apps, and (3) are comfortable using the command line.
And of course, don’t trust strange scripts on the internet without at first reading them and understanding them.
About
This script uses flatpak as the sandbox, which is convenient as it allows you to use existing tools like Flatseal to configure the sandbox.
I built this because I like my apps sandboxed. I will mostly use it for playing games. This will let me tailor the permissions the games need perfectly, ie no network for single player games and network for multiplayer games.
And to answer the question of “Why not Steam/Heroic/Bottles/Lutris”. There’s a few reasons. This script keeps games sandboxed from each other, is lighterweight, and was made for my own enjoyment.
I’ve also been working on a bubblewrap version that reuses host binaries and libraries which I may share later. It’s lighter weight and in theory more secure (less shared with host, better for browsers thanks to having access to unprivileged namespaces).
But anyways…
How to use
There are two files. The script, called “sandbox”, and the template flatpak manifest, called “sandbox.yml”.
To run the script, manually install “sandbox.yml” to ~/.local/share/sandbox/sandbox.yml. Or, you can edit the script and update the variable TEMPLATE_PATH to where ever you want.
Then, to create a new sandbox, you just need to run ./sandbox app-name.
The script roughly does the follow
- Makes sure you entered a valid app name
- Makes sure you have flatpak-builder installed (will install it if not, also note the script uses a user remote)
- Builds an empty flatpak that depends on Freedesktop 25.08 runtime
- Installs the flatpak
The first time the app is run (flatpak run my.custom.app-name), a script will be created inside the sandboxed home called “start”. On subsequent launches, this is executable that will be run.
Say if I wanted to play a Windows game, I would set the start script to umu ./path/to/game.exe.
But it can do anything. I also tested with the firefox .tar.xz and it worked without issue.
The script
sandbox.yml
app-id: domain.publisher.Name
runtime: org.freedesktop.Platform
runtime-version: '25.08'
sdk: org.freedesktop.Sdk
command: launcher
finish-args:
- --persist=.
modules:
- name: launcher-setup
buildsystem: simple
build-commands:
- mkdir -p /app/bin
# verify if 'start' exists. If not, create a default Hello World script.
- |
sh -c 'cat > /app/bin/launcher <<EOF
#!/bin/sh
TARGET="\$HOME/start"
if [ ! -f "\$TARGET" ]; then
echo "Creating default start script at \$TARGET..."
echo "#!/bin/sh" > "\$TARGET"
echo "echo Hello World from the sandbox!" >> "\$TARGET"
chmod +x "\$TARGET"
fi
exec "\$TARGET" "\$@"
EOF'
- chmod +x /app/bin/launcher
sandbox:
#!/bin/bash
# bash safety options
# -e exits on failure
# -u exits on unknown variables
# -o pipefail exits on failed pipe
set -euo pipefail
################################################################################
### Usage Clause ###
####################
# make sure argument is provided for APP_NAME
if (( $# != 1)); then
echo "Error: too few or too many arguments"
echo "Usage: $0 app-name"
exit 1
fi
################################################################################
### Configuration ###
#####################
# app details
DOMAIN="my"
PUBLISHER="custom"
APP_NAME="$1"
# flatpak manifest template location
TEMPLATE_PATH="$HOME/.local/share/sandbox/sandbox.yml"
################################################################################
### Functions ###
#################
# make sure flatpak version of flatpak-builder is installed
# installs it if necessary
check_dependencies() {
if ! flatpak list --app | grep -q org.flatpak.Builder; then
echo "flatpak-builder is not installed, installing now..."
flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak --user install --noninteractive flathub org.flatpak.Builder
fi
}
# make sure a string only contains letters, numbers, and dashes
validate_string() {
local input="$1"
local var_name="$2"
if [[ ! "$input" =~ ^[a-zA-Z0-9-]+$ ]]; then
echo "Error: $var_name ('$input') contains invalid characters."
echo "Allowed: letters, numbers, and dashes only."
exit 1
fi
}
cleanup() {
# check if WORK_DIR exists to avoid errors if mktemp failed
if [[ -d "$WORK_DIR" ]]; then
echo "Cleaning up temporary directory..."
rm -rf "$WORK_DIR"
fi
}
################################################################################
### Execution ###
#################
# ensure flatpak-builder is installed as a flatpak
check_dependencies
# validate DOMAIN, PUBLISHER, and APP_NAME
validate_string "$DOMAIN" "DOMAIN"
validate_string "$PUBLISHER" "PUBLISHER"
validate_string "$APP_NAME" "APP_NAME"
# finalize app ID
APP_ID="$DOMAIN.$PUBLISHER.$APP_NAME"
# create temporary directory in current directory
WORK_DIR="$(mktemp -d -p "$PWD")"
# check if WORK_DIR was created
if [[ ! "$WORK_DIR" || ! -d "$WORK_DIR" ]]; then
echo "Error: could not create temp dir"
exit 1
fi
# run cleanup function on successful exit or on failure
trap cleanup EXIT
# copy flatpak manifest to WORK_DIR
cp "$(realpath "$TEMPLATE_PATH")" "$WORK_DIR/$APP_ID.yml"
# edit the app ID of the flatpak manifest
sed -i "s/domain.publisher.Name/$APP_ID/g" "$WORK_DIR/$APP_ID.yml"
# build the flatpak
flatpak run --filesystem="$WORK_DIR" org.flatpak.Builder \
--user \
--force-clean \
--repo="$WORK_DIR/$PUBLISHER" \
"$WORK_DIR/build_dir" \
"$WORK_DIR/$APP_ID.yml"
# install the flatpak
flatpak --user install --noninteractive --reinstall "$WORK_DIR/$PUBLISHER" "$APP_ID"
Thanks! I’ve saved this so I can check it out later. I’m interested in learning about how to use and package flatpaks