Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It creates secure environments by leveraging Linux namespaces to separate system resources, including network, PID, and IPC stacks. The project distinguishes itself by enabling the execution of untrusted software without requiring root privileges on the host machine. It prevents privilege escalation by disabling the execution of setuid binaries and uses user identity mapping to isolate process permissions from the host operating system. The tool manages a comprehensive security sur
Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It functions as a distribution system that allows a single application bundle to run consistently across multiple Linux operating systems without requiring per-distribution builds. The project provides a runtime dependency manager that bundles specific library versions or shared runtimes to create predictable execution environments. It includes a sandbox permission manager to control application access to system hardware and resources, ensuring security and consistent behavior betwee
Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access.
Les fonctionnalités principales de containers/bubblewrap sont : Execution Sandboxes, Application Sandboxing, Tmpfs Root Sandbox Execution, Tmpfs Root Sandboxing, Tmpfs Root with Bind-Mounts, Loopback-Only Network Isolation, Loopback-Only Network Namespaces, Loopback-Only Network Stacks.
Les alternatives open-source à containers/bubblewrap incluent : netblue30/firejail — Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host… projectatomic/bubblewrap — Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It… flatpak/flatpak — Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It… youki-dev/youki — Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open… langgenius/dify-sandbox — Dify-sandbox is a secure runtime environment designed for the execution of untrusted code snippets. It functions as a… ioi/isolate — Isolate is a low-level sandbox designed to execute untrusted programs within a strictly controlled environment. It…