awesome-repositories.com
Blog
awesome-repositories.com

Découvrez les meilleurs dépôts open-source grâce à notre recherche par IA.

ExplorerRecherches sélectionnéesAlternatives open sourceLogiciels auto-hébergésBlogPlan du site
ProjetÀ proposNotre méthodologiePresseServeur MCP
Mentions légalesConfidentialitéConditions d'utilisation
© 2026 Bringes Technology SRL·VAT RO45896025·hello@awesome-repositories.com
·
containers avatar

containers/bubblewrap

0
View on GitHub↗
5,839 stars·282 forks·C·other·4 vues

Bubblewrap

Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access.

The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies seccomp filters to block dangerous kernel system calls before they execute, and assigns an independent hostname to the sandbox environment through UTS namespace isolation.

Bubblewrap enforces read-only and nodev filesystem access by default, preventing sandboxed processes from writing to or creating device nodes on the host. The sandbox environment is created using user namespaces, which hide real user and group identifiers from sandboxed processes by mapping them to different values inside the namespace.

Features

  • Execution Sandboxes - Executes applications inside lightweight Linux sandboxes with user namespace isolation.
  • Application Sandboxing - Runs untrusted applications in an isolated Linux environment with restricted filesystem, network, and process access.
  • Tmpfs Root Sandbox Execution - Creates a new mount namespace with a tmpfs root and bind-mounts only the directories the application should see.
  • Tmpfs Root Sandboxing - Creates a private tmpfs root and selectively bind-mounts only allowed directories for filesystem isolation.
  • Tmpfs Root with Bind-Mounts - Creates a tmpfs root and bind-mounts only allowed directories with read-only and nodev defaults.
  • Loopback-Only Network Isolation - Gives the sandbox its own network namespace with only a loopback device, cutting off all external network connectivity.
  • Loopback-Only Network Namespaces - Gives the sandbox its own network namespace with only a loopback interface, cutting off external access.
  • Loopback-Only Network Stacks - Gives the sandbox its own network namespace with only a loopback interface, blocking external access.
  • Namespace-Based Isolation - Creates lightweight containers using Linux user, PID, mount, network, and UTS namespaces for process isolation.
  • IPC Namespace Isolation - Provides its own SysV IPC namespace to isolate shared memory and semaphores from the host.
  • PID Namespace Isolation - Isolates the sandbox's process list so it cannot see or signal processes outside the sandbox.
  • Process Visibility Remappings - Provides PID namespace isolation so sandboxed processes cannot see or signal host processes.
  • PID Space Isolation - Provides an independent PID namespace so sandboxed processes cannot see or signal host processes.
  • Linux Sandboxes - Runs applications in a restricted environment using Linux user namespaces and mount namespaces.
  • Network Isolation - Cuts off external network connectivity by giving the sandbox its own network namespace with only a loopback device.
  • Seccomp Profiles - Applies seccomp-BPF filters to block dangerous kernel system calls inside the sandbox.
  • BPF-Based Syscall Blocking - Applies seccomp-BPF filters to intercept and block dangerous kernel system calls before execution.
  • User Namespace Mappings - Maps host user and group IDs to different values inside the sandbox via user namespaces.
  • UID/GID Remapping - Maps host user and group IDs to different values inside the sandbox, hiding real identifiers.
  • UTS Namespace Hostname Separation - Assigns an independent hostname to the sandbox via UTS namespace isolation.
  • SysV IPC Isolation - Gives the sandbox its own copy of SysV shared memory, semaphores, and other IPC primitives.
  • Read-Only Filesystem Enforcement - Enforces read-only and nodev filesystem access by default to prevent host modification.
  • Host Security Tools - Sandboxing tool for restricting application access to system resources.

Historique des stars

Graphique de l'historique des stars pour containers/bubblewrapGraphique de l'historique des stars pour containers/bubblewrap

Recherche par IA

Explorez plus de dépôts awesome

Décrivez vos besoins en langage naturel — l'IA classe des milliers de projets open source sélectionnés par pertinence.

Start searching with AI

Alternatives open source à Bubblewrap

Projets open source similaires, classés selon le nombre de fonctionnalités partagées avec Bubblewrap.
  • netblue30/firejailAvatar de netblue30

    netblue30/firejail

    7,069Voir sur GitHub↗

    Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi

    C
    Voir sur GitHub↗7,069
  • projectatomic/bubblewrapAvatar de projectatomic

    projectatomic/bubblewrap

    7,731Voir sur GitHub↗

    Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It creates secure environments by leveraging Linux namespaces to separate system resources, including network, PID, and IPC stacks. The project distinguishes itself by enabling the execution of untrusted software without requiring root privileges on the host machine. It prevents privilege escalation by disabling the execution of setuid binaries and uses user identity mapping to isolate process permissions from the host operating system. The tool manages a comprehensive security sur

    C
    Voir sur GitHub↗7,731
  • flatpak/flatpakAvatar de flatpak

    flatpak/flatpak

    4,818Voir sur GitHub↗

    Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It functions as a distribution system that allows a single application bundle to run consistently across multiple Linux operating systems without requiring per-distribution builds. The project provides a runtime dependency manager that bundles specific library versions or shared runtimes to create predictable execution environments. It includes a sandbox permission manager to control application access to system hardware and resources, ensuring security and consistent behavior betwee

    C
    Voir sur GitHub↗4,818
  • youki-dev/youkiAvatar de youki-dev

    youki-dev/youki

    7,452Voir sur GitHub↗

    Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-

    Rustcontainersdockerkubernetes
    Voir sur GitHub↗7,452
Voir les 30 alternatives à Bubblewrap→

Questions fréquentes

Que fait containers/bubblewrap ?

Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access.

Quelles sont les fonctionnalités principales de containers/bubblewrap ?

Les fonctionnalités principales de containers/bubblewrap sont : Execution Sandboxes, Application Sandboxing, Tmpfs Root Sandbox Execution, Tmpfs Root Sandboxing, Tmpfs Root with Bind-Mounts, Loopback-Only Network Isolation, Loopback-Only Network Namespaces, Loopback-Only Network Stacks.

Quelles sont les alternatives open-source à containers/bubblewrap ?

Les alternatives open-source à containers/bubblewrap incluent : netblue30/firejail — Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host… projectatomic/bubblewrap — Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It… flatpak/flatpak — Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It… youki-dev/youki — Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open… langgenius/dify-sandbox — Dify-sandbox is a secure runtime environment designed for the execution of untrusted code snippets. It functions as a… ioi/isolate — Isolate is a low-level sandbox designed to execute untrusted programs within a strictly controlled environment. It…