awesome-repositories.com
博客
awesome-repositories.com

通过 AI 驱动的搜索,发现最优秀的开源仓库。

探索精选搜索开源替代品自托管软件博客网站地图
项目关于排名机制媒体报道MCP 服务器
法律隐私政策服务条款
© 2026 Bringes Technology SRL·VAT RO45896025·hello@awesome-repositories.com
·

12 个仓库

Awesome GitHub RepositoriesLinux Sandboxes

Isolated execution environments created using Linux kernel primitives to restrict resource access and system visibility.

Distinct from Linux Provisioning: Distinct from Virtual Machines or Wasm sandboxes: focuses on OS-level container sandboxing via namespaces and cgroups.

Explore 12 awesome GitHub repositories matching operating systems & systems programming · Linux Sandboxes. Refine with filters or upvote what's useful.

Awesome Linux Sandboxes GitHub Repositories

用 AI 发现最棒的仓库。我们将通过 AI 为您搜索最匹配的仓库。
  • orbstack/orbstackorbstack 的头像

    orbstack/orbstack

    8,903在 GitHub 上查看↗

    OrbStack is a native macOS application that replaces Docker Desktop, providing an all-in-one environment for running Docker containers, full Linux virtual machines, and local Kubernetes clusters. It runs Linux VMs directly on the macOS hypervisor framework for near-native performance, uses VirtioFS for fast bidirectional file sharing between macOS and Linux, and leverages Rosetta for near-native x86 emulation on Apple Silicon. The system assigns predictable local domain names to containers and VMs with automatic HTTPS certificate generation, forwards ports via event-driven updates, and stores

    Runs Linux machines without macOS integration to provide a sandboxed environment for untrusted code.

    Shellcolimadockerdocker-desktop
    在 GitHub 上查看↗8,903
  • projectatomic/bubblewrapprojectatomic 的头像

    projectatomic/bubblewrap

    7,731在 GitHub 上查看↗

    Bubblewrap 是一个用于 Linux 的非特权沙盒执行实用程序,将进程与宿主系统隔离。它通过利用 Linux 命名空间来分离系统资源(包括网络、PID 和 IPC 栈)来创建安全环境。 该项目以支持在宿主机上无需 root 权限即可执行不受信任的软件而脱颖而出。它通过禁用 setuid 二进制文件的执行来防止权限提升,并使用用户身份映射将进程权限与宿主操作系统隔离。 该工具管理一个全面的安全表面,包括用于限制目录可见性和只读权限的文件系统访问控制。它还通过 seccomp 系统调用过滤进一步减少了内核攻击面。

    Creates isolated execution environments using Linux kernel primitives to restrict resource access and system visibility.

    C
    在 GitHub 上查看↗7,731
  • youki-dev/youkiyouki-dev 的头像

    youki-dev/youki

    7,452在 GitHub 上查看↗

    Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-

    Implements Linux sandbox provisioning using kernel namespaces and cgroups to create isolated execution environments.

    Rustcontainersdockerkubernetes
    在 GitHub 上查看↗7,452
  • sandstorm-io/sandstormsandstorm-io 的头像

    sandstorm-io/sandstorm

    7,037在 GitHub 上查看↗

    Sandstorm is an open-source platform that packages and runs web applications in security-hardened sandboxes on a personal server, functioning as a self-hosted web app operating system. It provides a curated app store where users discover and install sandboxed web applications with one-click ease, while each application runs in an isolated container that uses Linux kernel security features to separate it from the host and other apps. The platform includes a centralized authentication layer so users sign in once and gain access to all installed applications without managing separate accounts per

    Runs Linux web applications inside security sandboxes with optional modifications.

    JavaScriptcapnprotodecentralizedhacktoberfest
    在 GitHub 上查看↗7,037
  • netblue30/firejailnetblue30 的头像

    netblue30/firejail

    7,069在 GitHub 上查看↗

    Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi

    Provides a security tool that uses Linux kernel namespaces and seccomp filters to isolate untrusted applications.

    C
    在 GitHub 上查看↗7,069
  • mviereck/x11dockermviereck 的头像

    mviereck/x11docker

    6,283在 GitHub 上查看↗

    x11docker 是一个 OCI 容器 GUI 编排器和硬件桥接工具,旨在容器内运行图形化应用程序和完整的桌面环境。它作为一个 Linux GUI 沙箱,将容器化进程连接到宿主机的 X11 或 Wayland 显示服务器及音频系统。 该项目通过提供深度系统集成(包括 NVIDIA 驱动自动化和 GPU 直通)来实现硬件加速,从而脱颖而出。它支持跨架构 GUI 模拟,并通过 VNC、SSH 转发和基于浏览器的 HTML5 渲染提供远程访问能力。 该工具涵盖了广泛的集成功能,包括用于安全的命名空间身份映射、用于进程间通信的 D-Bus 会话桥接,以及双向剪贴板同步。它还处理摄像头和打印机等外设共享,以及 init 系统和持久化存储挂载的管理。 该软件是一个基于 shell 的实用程序,支持包括 Docker 和 Podman 在内的多种符合 OCI 标准的后端。

    Functions as a security-focused sandbox for running untrusted graphical software in isolated containers.

    Shellcontainersdesktopdocker
    在 GitHub 上查看↗6,283
  • containers/bubblewrapcontainers 的头像

    containers/bubblewrap

    5,839在 GitHub 上查看↗

    Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc

    Runs applications in a restricted environment using Linux user namespaces and mount namespaces.

    Clinux-containersuser-namespaces
    在 GitHub 上查看↗5,839
  • flatpak/flatpakflatpak 的头像

    flatpak/flatpak

    4,818在 GitHub 上查看↗

    Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It functions as a distribution system that allows a single application bundle to run consistently across multiple Linux operating systems without requiring per-distribution builds. The project provides a runtime dependency manager that bundles specific library versions or shared runtimes to create predictable execution environments. It includes a sandbox permission manager to control application access to system hardware and resources, ensuring security and consistent behavior betwee

    Implements a comprehensive framework for packaging and running desktop applications in isolated Linux sandboxes.

    C
    在 GitHub 上查看↗4,818
  • atmosphere/atmosphereAtmosphere 的头像

    Atmosphere/atmosphere

    3,780在 GitHub 上查看↗

    Atmosphere is a Java-based framework for building and coordinating AI agents. It provides a real-time transport layer for streaming data via WebSockets, SSE, gRPC, and WebTransport, alongside a multi-agent orchestration framework for managing agent fleets through sequential, parallel, and graph-based execution workflows. The project features a durable workflow engine that persists agent state as snapshots, allowing long-running tasks to survive system restarts and incorporate human-in-the-loop approvals. It also implements Model Context Protocol servers to expose tools, resources, and prompt

    Renders HTML-based applications in isolated iframes with a bidirectional bridge for secure, sandboxed interaction.

    Javaacpagentic-aiembabel
    在 GitHub 上查看↗3,780
  • containers/toolboxcontainers 的头像

    containers/toolbox

    3,250在 GitHub 上查看↗

    Toolbox is a development workspace orchestrator and container environment manager that bootstraps mutable toolsets and SDKs inside containers. It functions as a Linux distribution sandbox and a host-integrated container runtime, allowing users to run native package managers and software without modifying the host operating system. The project differentiates itself by bridging isolated containers with the host system through the mapping of user identities, network sockets, and home directories. It utilizes a daemonless engine to provide these environments while ensuring that system configurati

    Provides a containerized sandbox to run native package managers and software without modifying the host system.

    Shellcontainerslinux
    在 GitHub 上查看↗3,250
  • ioi/isolateioi 的头像

    ioi/isolate

    1,441在 GitHub 上查看↗

    Isolate is a low-level sandbox designed to execute untrusted programs within a strictly controlled environment. It functions as a process isolation engine that prevents potentially harmful code from interacting with or damaging the host operating system. The tool leverages Linux kernel primitives, including namespaces and control groups, to partition system resources and enforce hardware usage boundaries. By applying filesystem virtualization and system call filtering, it restricts the visibility and interaction of a process with the host, ensuring that untrusted applications operate only wit

    Uses kernel-level primitives like namespaces and cgroups to enforce strict boundaries on system resource usage.

    C
    在 GitHub 上查看↗1,441
  • langgenius/dify-sandboxlanggenius 的头像

    langgenius/dify-sandbox

    1,116在 GitHub 上查看↗

    Dify-sandbox is a secure runtime environment designed for the execution of untrusted code snippets. It functions as a containerized sandbox that isolates processes from the host operating system, ensuring that arbitrary scripts can be run without granting them unauthorized access to sensitive data or critical system resources. The project distinguishes itself through a multi-layered security approach that combines kernel-level isolation with strict resource management. By utilizing Linux namespaces and container-based process isolation, it partitions system resources to maintain visibility bo

    Uses Linux kernel namespaces to partition system resources and restrict process visibility.

    Go
    在 GitHub 上查看↗1,116
  1. Home
  2. Operating Systems & Systems Programming
  3. Linux Sandboxes

探索子标签

  • Permission ManagersSystems for controlling application access to system hardware and resources within a sandbox. **Distinct from Linux Sandboxes:** Focuses on the permission layer of a Linux sandbox rather than the execution environment itself
  • Web App Sandbox RuntimesRuns any web application that works on Linux, with optional modifications to fit inside a security sandbox. **Distinct from Linux Sandboxes:** Distinct from Linux Sandboxes: specifically targets running web apps in sandboxes, not general Linux sandboxing.