6 dépôts
Controlled runtime environments that manage dependencies and system resources for consistent software behavior.
Distinguishing note: Focuses on runtime resource management rather than build-time isolation.
Explore 6 awesome GitHub repositories matching operating systems & systems programming · Sandboxing & Isolation. Refine with filters or upvote what's useful.
Termux is a mobile terminal emulator and Linux environment runtime that provides a full command-line interface directly on Android devices. It functions as a comprehensive platform for executing native binaries and scripts, featuring an integrated package management system that allows users to download, install, and manage open-source software repositories to extend device functionality. The project distinguishes itself by acting as an embedded execution library, enabling third-party applications to integrate terminal and package management capabilities into their own interfaces without requi
Runs downloaded software by wrapping files as native libraries to bypass security restrictions.
Airflow is a platform for programmatically authoring, scheduling, and monitoring complex data pipelines. It functions as a workflow automation engine that manages the lifecycle of recurring business processes by executing code-defined task dependencies. By representing workflows as directed acyclic graphs, the system ensures that task execution order and data flow are explicitly defined and reliably maintained across distributed computing environments. The platform distinguishes itself through a highly modular, provider-based architecture that decouples core orchestration logic from external
Executes individual tasks in isolated subprocesses to prevent resource contention.
Docker Compose is a tool for defining and running multi-container applications through declarative configuration files. It functions as an application lifecycle manager, coordinating the startup, shutdown, and scaling of interconnected services within isolated environments. By using a standardized configuration format, it enables infrastructure as code, allowing developers to manage complex application stacks and their dependencies in a single, repeatable file. The project distinguishes itself by integrating directly with the broader Docker platform, leveraging a client-server architecture wh
Leverages kernel namespaces for isolated workspace management.
Firecracker is a virtual machine monitor that leverages hardware-assisted virtualization to create and manage isolated execution environments. It functions as a lightweight runtime designed to launch virtual machines with minimal memory overhead and near-instantaneous startup times, providing the security of traditional hardware virtualization with the efficiency of containerized workloads. The project distinguishes itself through a security-focused architecture that enforces strict process boundaries using system-level barriers and restricted user privileges. It minimizes the attack surface
Enforces strict security boundaries using Linux namespaces and cgroups to isolate virtual machine processes.
Proton is a compatibility layer designed to enable the execution of Windows-based software on non-Windows operating systems. It functions as a controlled runtime environment that maps proprietary system calls to native kernel functions and translates graphics API commands into open-standard compute shaders. This allows applications to run without requiring modifications to their original source code. The project distinguishes itself through a robust toolchain for reproducible builds, which utilizes containerized isolation to ensure consistent binary outputs across different development enviro
Manages dependencies and system resources within a controlled runtime to maintain consistent software behavior.
Try est un outil pour gérer des environnements shell éphémères et exécuter des commandes au sein d'un sandbox isolé. Il utilise OverlayFS et les namespaces Linux pour empêcher les processus d'altérer le système en direct, agissant à la fois comme un sandbox de commande et un auditeur de changements de système de fichiers. Le projet permet aux utilisateurs de capturer les modifications de fichiers dans une couche temporaire et d'inspecter ces changements avant de décider de les appliquer ou de les supprimer. Il supporte un workflow d'audit des ajouts et modifications, puis de fusion des changements vérifiés dans le système de fichiers hôte. L'outil fournit des capacités pour des shells sandbox interactifs, la gestion de répertoires sandbox personnalisés et la capacité de fusionner plusieurs répertoires overlay en un environnement en couches unique. Il inclut également des scripts de complétion shell pour l'autocomplétion des commandes et des flags.
Provides a way to browse overlay directories to identify files modified or created during execution.