Bubblewrap is a new tool from project atomic. Its similar to the old
xdg-app-helper, but even more minimal, and a bit more generic. Its designed
to be easy to git submodule install, but at some point we will probably
support using the system installed version too.
Using bubblewraps lets us share the load of security mainainance and
allows other people to use bubblewrap to do their own unprivileged
sandboxes.
This avoids exporting glnx_*, calc_sizes(), etc. However, we do want to
export xdg_app_error_quark(), so do that.
Signed-off-by: Simon McVittie <smcv@debian.org>
We now check at runtime if we have raised privs, and only if not so do we try
to use unprivileged user namespaces. This means you can build xdg-app however,
and then setuid/setcap the binary however you want afterwards.