Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc
Isolate is a low-level sandbox designed to execute untrusted programs within a strictly controlled environment. It functions as a process isolation engine that prevents potentially harmful code from interacting with or damaging the host operating system. The tool leverages Linux kernel primitives, including namespaces and control groups, to partition system resources and enforce hardware usage boundaries. By applying filesystem virtualization and system call filtering, it restricts the visibility and interaction of a process with the host, ensuring that untrusted applications operate only wit
Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-
Bubblewrap ist ein unprivilegiertes Sandbox-Ausführungsdienstprogramm für Linux, das Prozesse vom Host-System isoliert. Es schafft sichere Umgebungen durch die Nutzung von Linux-Namespaces zur Trennung von Systemressourcen, einschließlich Netzwerk-, PID- und IPC-Stacks.
The main features of projectatomic/bubblewrap are: Linux Sandboxes, Mount-Namespace Virtualization, Container User Identity Mapping, Unprivileged Container Execution, Process Isolation, Namespace-Based Isolation, Process User Isolation, Isolated Execution Sandboxes.
Open-source alternatives to projectatomic/bubblewrap include: netblue30/firejail — Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host… containers/bubblewrap — Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted… ioi/isolate — Isolate is a low-level sandbox designed to execute untrusted programs within a strictly controlled environment. It… youki-dev/youki — Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open… flatpak/flatpak — Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It… mviereck/x11docker — x11docker is an OCI container GUI orchestrator and hardware bridge designed to execute graphical applications and full…