Bubble

Bubble class for executing commands in bubblewrap sandbox.

This class provides secure command execution using bubblewrap (bwrap) to sandbox commands. It creates a read-only root filesystem with read-write access only to specific project directories identified by the project's build_roots() method.

The sandbox configuration: - Mounts the entire filesystem as read-only (--ro-bind / /) - Provides read-write access to project directories via overlay filesystem - Blocks network access by default (--unshare-net, unless allow_network is true) - Executes commands via /bin/sh -c - Provides isolated temporary directory (/tmp) via tmpfs - Mounts /dev read-only (like the rest of the system) with /dev/null writable for output redirection

A new Bubble instance is created for each command execution. The instance is used once and then goes out of scope, so no cleanup logic is needed for old instances.

Environment variables are automatically inherited from the user's environment when using GLib.Subprocess. No explicit --setenv flags are needed.

Overlay filesystem is used for write isolation. All writes to project directories go to the overlay upper directory and are copied back to the live system after command execution completes.