11 مستودعات
Isolated execution environments created using Linux kernel primitives to restrict resource access and system visibility.
Distinct from Linux Provisioning: Distinct from Virtual Machines or Wasm sandboxes: focuses on OS-level container sandboxing via namespaces and cgroups.
Explore 11 awesome GitHub repositories matching operating systems & systems programming · Linux Sandboxes. Refine with filters or upvote what's useful.
OrbStack is a native macOS application that replaces Docker Desktop, providing an all-in-one environment for running Docker containers, full Linux virtual machines, and local Kubernetes clusters. It runs Linux VMs directly on the macOS hypervisor framework for near-native performance, uses VirtioFS for fast bidirectional file sharing between macOS and Linux, and leverages Rosetta for near-native x86 emulation on Apple Silicon. The system assigns predictable local domain names to containers and VMs with automatic HTTPS certificate generation, forwards ports via event-driven updates, and stores
Runs Linux machines without macOS integration to provide a sandboxed environment for untrusted code.
Bubblewrap هو أداة تنفيذ في بيئة معزولة (sandbox) غير مميزة لنظام Linux تعزل العمليات عن النظام المضيف. ينشئ بيئات آمنة من خلال الاستفادة من مساحات أسماء Linux لفصل موارد النظام، بما في ذلك الشبكة، وPID، ومكدسات IPC. يتميز المشروع بتمكين تنفيذ البرمجيات غير الموثوقة دون الحاجة إلى امتيازات الجذر (root) على الجهاز المضيف. يمنع تصعيد الامتيازات عن طريق تعطيل تنفيذ ثنائيات setuid ويستخدم تعيين هوية المستخدم لعزل أذونات العملية عن نظام التشغيل المضيف. تدير الأداة سطح أمان شاملاً يتضمن التحكم في الوصول إلى نظام الملفات لتقييد رؤية الدليل وأذونات القراءة فقط. كما يقلل من سطح هجوم النواة من خلال تصفية استدعاءات النظام seccomp.
Creates isolated execution environments using Linux kernel primitives to restrict resource access and system visibility.
Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-
Implements Linux sandbox provisioning using kernel namespaces and cgroups to create isolated execution environments.
Sandstorm is an open-source platform that packages and runs web applications in security-hardened sandboxes on a personal server, functioning as a self-hosted web app operating system. It provides a curated app store where users discover and install sandboxed web applications with one-click ease, while each application runs in an isolated container that uses Linux kernel security features to separate it from the host and other apps. The platform includes a centralized authentication layer so users sign in once and gain access to all installed applications without managing separate accounts per
Runs Linux web applications inside security sandboxes with optional modifications.
Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Provides a security tool that uses Linux kernel namespaces and seccomp filters to isolate untrusted applications.
x11docker is an OCI container GUI orchestrator and hardware bridge designed to execute graphical applications and full desktop environments inside containers. It functions as a Linux GUI sandbox, linking containerized processes to host X11 or Wayland display servers and audio systems. The project differentiates itself by providing deep system integration for hardware acceleration, including NVIDIA driver automation and GPU passthrough. It supports cross-architecture GUI emulation and provides remote access capabilities through VNC, SSH forwarding, and browser-based HTML5 rendering. The tool
Functions as a security-focused sandbox for running untrusted graphical software in isolated containers.
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc
Runs applications in a restricted environment using Linux user namespaces and mount namespaces.
Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It functions as a distribution system that allows a single application bundle to run consistently across multiple Linux operating systems without requiring per-distribution builds. The project provides a runtime dependency manager that bundles specific library versions or shared runtimes to create predictable execution environments. It includes a sandbox permission manager to control application access to system hardware and resources, ensuring security and consistent behavior betwee
Implements a comprehensive framework for packaging and running desktop applications in isolated Linux sandboxes.
Toolbox is a development workspace orchestrator and container environment manager that bootstraps mutable toolsets and SDKs inside containers. It functions as a Linux distribution sandbox and a host-integrated container runtime, allowing users to run native package managers and software without modifying the host operating system. The project differentiates itself by bridging isolated containers with the host system through the mapping of user identities, network sockets, and home directories. It utilizes a daemonless engine to provide these environments while ensuring that system configurati
Provides a containerized sandbox to run native package managers and software without modifying the host system.
Isolate هو صندوق رمل (sandbox) منخفض المستوى مصمم لتنفيذ البرامج غير الموثوقة داخل بيئة خاضعة للرقابة الصارمة. يعمل كمحرك لعزل العمليات يمنع الكود الذي يحتمل أن يكون ضاراً من التفاعل مع نظام التشغيل المضيف أو إتلافه. تستفيد الأداة من بدائيات نواة Linux، بما في ذلك مساحات الأسماء (namespaces) ومجموعات التحكم (cgroups)، لتقسيم موارد النظام وفرض حدود استخدام الأجهزة. من خلال تطبيق افتراضية نظام الملفات وتصفية استدعاءات النظام، فإنه يقيد رؤية وتفاعل العملية مع المضيف، مما يضمن أن التطبيقات غير الموثوقة تعمل فقط ضمن معايير أمان محددة. بعيداً عن الاحتواء الأساسي، يوفر البرنامج آليات لتحديد الموارد والأمان القائم على القدرات لإدارة استهلاك وحدة المعالجة المركزية والذاكرة والإدخال والإخراج. كما يدعم اختبار البرمجيات الآمن من خلال إنشاء بيئات مؤقتة ومعزولة تحمي ملفات النظام الحساسة والأجهزة من الوصول غير المصرح به.
Uses kernel-level primitives like namespaces and cgroups to enforce strict boundaries on system resource usage.
Dify-sandbox is a secure runtime environment designed for the execution of untrusted code snippets. It functions as a containerized sandbox that isolates processes from the host operating system, ensuring that arbitrary scripts can be run without granting them unauthorized access to sensitive data or critical system resources. The project distinguishes itself through a multi-layered security approach that combines kernel-level isolation with strict resource management. By utilizing Linux namespaces and container-based process isolation, it partitions system resources to maintain visibility bo
Uses Linux kernel namespaces to partition system resources and restrict process visibility.