Our great sponsors
-
nsjail
A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
ports
Read-only git conversion of OpenBSD's official cvs ports repository. Pull requests not accepted - send diffs to the ports@ mailing list.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Firejail, Flatpak (which uses Bubblewrap under the hood), and Snap (which uses AppArmor) all use the same underlying technology: Linux namespaces.
This question comes up a lot, and has been answered here: https://github.com/netblue30/firejail/wiki/Frequently-Asked-...
TL;DR: Firejail has much more comprehensive features than Flatpak (Bubblewrap). Firejail also has more comprehensive network support, support for AppArmor and SELinux, and easier seccomp filtering.
Compared to Snap (which uses AppArmor), Firejail is compatible with AppArmor and again goes above and beyond with a lot of additional features.
I think OpenBSD comes the closest to what you want with its two easy to use syscalls that provide syscall filtering and restricting access to paths:
https://man.openbsd.org/pledge.2
https://man.openbsd.org/unveil.2
A few random examples:
https://github.com/tmux/tmux/blob/c8494dff7b6b9a996866edaf8c...
https://github.com/openbsd/ports/blob/master/www/mozilla-fir...
https://github.com/openbsd/ports/blob/master/www/mozilla-fir...
To get the best isolation you need to patch the source — the application needs to go through initial setup and then drop privileges to the absolute possible minimum. But it's easy to make custom wrappers for third-party applications — the above profiles taken from the OpenBSD ports tree are the proof.
I think OpenBSD comes the closest to what you want with its two easy to use syscalls that provide syscall filtering and restricting access to paths:
https://man.openbsd.org/pledge.2
https://man.openbsd.org/unveil.2
A few random examples:
https://github.com/tmux/tmux/blob/c8494dff7b6b9a996866edaf8c...
https://github.com/openbsd/ports/blob/master/www/mozilla-fir...
https://github.com/openbsd/ports/blob/master/www/mozilla-fir...
To get the best isolation you need to patch the source — the application needs to go through initial setup and then drop privileges to the absolute possible minimum. But it's easy to make custom wrappers for third-party applications — the above profiles taken from the OpenBSD ports tree are the proof.
While trying to find out more comparison information, found this light on details issue:
https://github.com/containers/bubblewrap/issues/81
It mentions nsjail and minijail.