Portable is a sandbox framework targeted for Desktop usage and offers ease of use for distro packagers, which should work on any recent FHS compliant system (plus, enables unprivileged user namespaces and uses recent version of systemd). It offers many useful features for users and packagers:
- Background Portal support.
- Wayland Security Context support.
- Access Control: Limits what the application can see, write and modify. Sandboxed applications are self-contained.
- Sharing files with the application, even if it doesn't support portals. portable creates a directory within the sandbox home to contain shared files.
- D-Bus filtering & accessibility support: Cuts off unneeded D-Bus messages thus eliminates the possibility to locate, spawn a process outside of the sandbox, mess with the host system and other possible exploits.
- Process Management: Monitors running processes and quit them with one click.
- Packaging Friendly as portable only requires a config file to function.
- Storage efficient compared to Flatpak: Using host system as the "runtime".
- Hybrid GPU workarounds are automatically applied to prevent waking up discrete GPUs, often caused by Vulkan and Electron applications.
- Input Method automatic detection.
- Minecraft
- AUR
- WeChat (aur/wechat)
- Wemeet (aur/wemeet-bwrap)
- Prism Launcher (aur/prismlauncher-bwrap)
- Obsidian (aur/obsidian-bwrap)
- Z-Library (aur/z-library-bwrap)
- Wiliwili (aur/wiliwili-wayland)
- WPS (aur/wps-office-cn-bwrap)
- Genshin Impact Launcher
- Bottles (aur/bottles-bwrap)
- QQ (aur/linuxqq-portable)
- Discord (aur/discord-bwrap)
- Larksuite (aur/larksuite-portable)
- Firefox (aur/firefox-portable)
- Thunderbird (aur/thunderbird-portable)
- Baidu Netdisk (aur/baidunetdisk-portable)
- DaVinci Resolve (aur/davinci-resolve-portable)
- Zen Browser (aur/zen-browser-portable)
- PCSX2 (aur/pcsx2-portable)
- Running untrusted code is never safe, sandboxing does not change this.
- WebKitGTK on a hybrid graphics laptop may require
gameMode=on, otherwise may display a blank screen. - Steam will not work due to the requirement of Flatpak spawn portal.
- On KDE Plasma window grouping may not work properly unless your desktop file name exactly matches certain arguments.
- Due to some desktop portal implementations being insecure (without requiring user consent), some features will only be available on GNOME
- The Global Shortcuts portal is only available on GNOME
Discuss Development at #portable-dev:matrix.org
Install aur/portable-git, aur/portable or install the following files directly
cd portable
install -Dm755 portable.sh /usr/bin/portable
install -d "/usr/lib/"
cp -r "lib" "/usr/lib/portable"
install -t "/usr/share/portable" -Dm755 "share"/*
install -Dm755 portable-pools /usr/bin/portable-pools-
Download the config file from here and modify it.
-
Install the config file:
# Modify before installing
install -Dm755 config /usr/lib/portable/info/${appID}/config-
The file name of your .desktop file must match the appID, like
top.kimiblock.example.desktop -
Your .desktop file should contain the following entries:
X-Flatpak-Tags=aTag;
X-Flatpak=appID;
X-Flatpak-RenamedFrom=previousName.desktop;
Environment variables are sourced from XDG_DATA_HOME/stateDirectory/portable.env.
You can also specify environment variables in the config file.
Start portable with environment variable _portableConfig, which can be 1) the appID of the sandbox, 2) an absolute path (if exists), 3) a file name interpreted as $(pwd)/${_portableConfig}. It searches for each of them respectively.
- Debugging output can be enabled using a environment variable
PORTABLE_LOGGING=debug
Portable itself allows multiple instances. It automatically creates an identical sandbox and launches the application. Application itself may or may not support waking up itself. It is advised to set SingleMainWindow=true for applications that doesn't have well multi-instance support.
--actions f5aaebc6-0014-4d30-beba-72bce57e0650: Toggle Sandbox, requires user confirmation.
--actions opendir: Open the sandbox's home directory.
--actions share-files: Choose multiple files to share with the sandbox. The file will be temporarily stored in XDG_DATA_HOME/stateDirectory/Shared, which will be purged each launch.
--actions reset-documents: Resets XDG Desktop Portal's documents portal and other permissions, causing an instant redaction the permission to read & write for sandboxed apps. Pleased be advised that this is suggested not to be included in desktop actions made by packagers or be executed when there are applications using the documents portal!
--actions quit: Stop sandbox and D-Bus proxy. If the app fails to stop after 20s, it'll be killed.
--actions debug-shell: Start a debugging bash shell inside the sandbox. This works regardless whether the app is running.
Arguments for the application can be passed by putting your arguments in the end of the list of arguments and separate it with --
To manually execute programs instead of following the launchTarget config, start portable with argument --actions debug-shell. This will open a bash prompt and gives you full control of the sandbox environment.
Pools is a user friendly sandbox generator. To create and enter a user sandbox, simply execute portable-pools with your sandbox name.
Example: Create a test sandbox:
portable-pools test
╰─>Portable Sandbox·top.kimiblock.test·🧐⤔Portable and any of its social environment follows the Kraftland Code of Conduct. Please be sure not to violate such rule set.
Portable follows a major.minor.patch version scheme. We thrives to provide a stable experiences with no breaking changes, however, if said change is necessary, will land in a major release.
The patch release is exclusive for bug fixes. Whereas minor releases contain new features. If a feature or a set of features needs time to test or is important enough, we conduct a major release.
Portable has and always will be only supporting the latest release. Generally users can upgrade without manual intervention, but between major releases it's advised to run systemctl --user stop portable.slice to stop the portable framework.