Bubblewrap is a low-level Linux sandboxing tool that uses namespaces, seccomp, and capability dropping to isolate untrusted applications. I wrote this TUI because I find bubblewrap's necessarily long command lines hard to grapple with, and yet I've long wanted something to allow me safely and conveniently get wild with curl|bash installs.

This is a Python/Textual app, which uses uv to handle its dependencies. You install a single python script by downloading it (and then optionally running with --install to move it into ~/.local/bin.) Instead of memorizing dozens of flags, you configure the sandbox visually and see exactly what bwrap command gets generated, before choosing to run it when you're ready.

UI support for:

  - Directory bindings with read-only/read-write toggles
  - Overlay filesystems (tmpfs or persistent)
  - Environment variables (and support for loading .env files)
  - Capability dropping
  - Namespace isolation (user, PID, IPC, UTS, cgroup, network)
  - Profile saving/loading
  - ...and more!

Examples:

    bui -- /bin/bash
    bui -- python script.py
    bui --profile my_overlay -- "curl foo.sh | bash"

This is currently beta. It only generates bwrap commands, so it's safe to play with. If there's interest in it, I'll keep working on it. And I welcome PRs, collabs, bug reports, suggestions, and feedback.