Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-
Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It creates secure environments by leveraging Linux namespaces to separate system resources, including network, PID, and IPC stacks. The project distinguishes itself by enabling the execution of untrusted software without requiring root privileges on the host machine. It prevents privilege escalation by disabling the execution of setuid binaries and uses user identity mapping to isolate process permissions from the host operating system. The tool manages a comprehensive security sur
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc
Isolate ist eine Low-Level-Sandbox, die darauf ausgelegt ist, nicht vertrauenswürdige Programme in einer streng kontrollierten Umgebung auszuführen. Sie fungiert als Prozess-Isolations-Engine, die verhindert, dass potenziell schädlicher Code mit dem Host-Betriebssystem interagiert oder dieses beschädigt.
The main features of ioi/isolate are: Untrusted Code Sandboxes, Linux Sandboxes, Virtualized Filesystem Layers, Containerized Security Tooling, Process Isolation, Namespace-Based Isolation, Container Copy-on-Write Layers, Hardware and Resource Restrictions.
Open-source alternatives to ioi/isolate include: netblue30/firejail — Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host… youki-dev/youki — Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open… projectatomic/bubblewrap — Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It… containers/bubblewrap — Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted… iam-veeramalla/docker-zero-to-hero. containers/crun — crun is a low-level container runtime that implements the Open Container Initiative specification for managing the…