I want to isolate an app and don't want it to create data files and directories in my home directory(Actually it will always create a app_files dir under $HOME and I can not change it). So I choose bwrap with the following demo command:
$ bwrap --dev-bind / / --bind ~/App_Data ~ --chdir ~ ……
After the software runs, I will open some directories in the sandbox, such as ./app_files/demo/. Like this:
$ bwrap --dev-bind / / --bind ~/App_Data ~ --chdir ~ sh -c 'mkdir -p app_files/demo; xdg-open ./app_files/demo'
Then the default file manager will be called (It is dolphin under my KDE). But the directory that appears is /home/username/app_files/demo rather than /home/username/App_Data/app_files/demo in the unsandboxed filesystem(Of course this is right).
So my question is when using xdg-open to open a file directory in the sandbox, is there a way for me to see the filesystem outside the sandbox?
I know I can use symlink to achieve the goal. Like this:
$ DATA_DIR="$HOME/App_Data"
$ FILES_DIR="$DATA_DIR/app_files"
$ HOME_DIR="$DATA_DIR/home"
$ mkdir -p "$FILES_DIR" "$HOME_DIR"
$ ln -snf "$FILES_DIR" "$HOME_DIR/app_files"
$ bwrap --dev-bind / / --bind $HOME_DIR $HOME --bind $FILES_DIR $FILES_DIR sh -c 'mkdir -p app_files/demo; xdg-open app_files/demo'
Then it will open dolphin and I can see the path is ~/App_Data/app_files/demo which is outside the sandbox.
But this solution is very inelegant. The directory below looks messy. I think it would be better to use bwrap itself or use some other services to achieve the goal. But I do not know how.
I don’t want redundant directories or cluttered soft links.
Any help will be appreciated.