Portable started as the safe, efficient WeChat sandbox at 10th November, 2024. We have released over 132 tags and the first birthday of Portable is creeping close. I felt the urge to write a brief summary of what’s included in the upcoming X release, and the future road map of this project.

What’s inside X

  • Much faster performance

We have exploited the bash’s concurrency feature to an extent. Most features like detecting your graphics configuration, starting the D-Bus proxy and setting up the protected environment has been offloaded from the main process. Together with the new readiness notifier system, this allows a 30%+ increase of pure startup performance. On a system with many cores, for example a Core i9 14900HX the new release will yield much more performance increase, up to 30% faster observed on my machine. Some efforts (but not all) are listed below:

- Dropped the DOCUMENTS dir query
- Rewritten the command line parser
- Delegated the folder setup process to a background process
- Optimised readiness notifier
- The helper now delegates readiness notify to a background process
- Optimised the random number generation process to use bash's built-in `$RANDOM` variable which returns a value <32767
  • Rewritten cmdline parser

The old command line parser was great, but it was not perfect. We have rewritten it to make it faster, safer and more reliable.

  • Pools and Portable no longer executes in a sandbox

This feature was added to prevent scripts from creating another sandbox which will obviously fail in a portable sandbox. Since the service manager isn’t reachable, the D-Bus proxy always fail and block the entire process.

  • Read-only, private cgroup FS mounted in sandbox

To prepare for the possible, upcoming standard of identifying sandboxed processes via attributes on cgroup, we have instructed systemd to mount a private copy of cgroup fs and explicitly tell bubblewrap to mount /sys/fs/cgroup to read-only, of which prevents sandboxed applications from doing weird stuff to the host and escape in some extent.

  • GStreamer VA now works in Portable.

This is primarily done for sandboxing Epiphany (or GNOME Web). GStreamer VA requires the respective renderer node under /sys/class/drm in addition to /dev/dri. We have rewritten some portion of the code to always make that happen. Note that GStreamer VAAPI still does not work and we do not have a plan of fixing since it’s replaced by VA.

  • Homed users no longer see a crash on some apps

systemd-homed has a socket io.systemd.Home under /run/systemd/userdb/io.systemd.Home. Some applications (WeChat) will query user information and the absence of such socket on a homed system causes a crash on startup. We now expose them read-only to prevent such issue.

  • Exposed the global font cache

Generally I see no reason not to do it.

That is a glimpse of what Portable X enhances. The ninth release to celebrate the birthday of Portable project.

What’s next?

Some ideas are listed for future implementations:

  1. Better multi-GPU support:

We are planning to co-operate with the potentially new, upcoming gpu-daemon (presentation file here) to enhance our GPU selection and binding logic, make it more configurable, robust and easy for users, with better desktop integration.

  1. For document editors: detect when file paths are passed, and automatically pass them into the sandbox.
  2. Further performance optimisations.
  3. Zypak-like wrapper for Chromium applications, or allow nested namespaces.
  4. Implement process identifying through CGroups, when specs are ready. (Source here)