Bubblewrap: Unprivileged Sandboxing Tool for Linux

1. bubblewrap

   1 79 4,162 7.6 C

   Low-level unprivileged sandboxing tool used by Flatpak and similar projects

   

   Note that a sandbox escape is often possible via TIOCSTI (CVE-2017-5226) [0] unless a special flag (--new-session) is used.

   Bubblewrap is aware of this, yet their documentation gives no indication that this flag is necessary to produce a secure sandbox. In --help, the documentation of --new-session is simply "Create a new terminal session," which severely understates its importance.

   It's frustrating to have such a useful tool be knowingly easy to misuse.

   [0]: https://github.com/containers/bubblewrap/issues/142

2. CodeRabbit

   coderabbit.ai featured

   CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

   

3. crosvm

   2 7 879 9.8 Rust

   The Chrome OS Virtual Machine Monitor - Mirror of https://chromium.googlesource.com/crosvm/crosvm/

   

   I've also been looking into shipping apps as VM images with a minimal kernel. Do you know if WHPX requires the user to have admin rights? On the host side, Windows and Mac ports of crosvm [1] could be useful. crosvm seems to have all the necessary virtio device types, but a greater focus on security than QEMU.

   [1]: https://google.github.io/crosvm/

4. nsjail

   3 7 3,154 5.7 C++

   A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.

   

Suggest a related project