Bubblewrap Alternatives
Similar projects and alternatives to bubblewrap
-
-
-
SonarLint
Deliver Cleaner and Safer Code - Right in Your IDE of Choice!. SonarLint is a free and open source IDE extension that identifies and catches bugs and vulnerabilities as you code, directly in the IDE. Install from your favorite IDE marketplace today.
-
-
-
pkg2appimage
Tool and recipes to convert existing deb packages to AppImage
-
-
realtime
Listen to your to PostgreSQL database in realtime via websockets. Built with Elixir.
-
Scout APM
Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.
-
-
-
-
cli-guidelines
A guide to help you write better command-line programs, taking traditional UNIX principles and updating them for the modern day.
-
-
-
-
runc
CLI tool for spawning and running containers according to the OCI specification
-
QEMU
Official QEMU mirror. Please see http://wiki.qemu.org/Contribute/SubmitAPatch for how to submit changes to QEMU. Pull Requests are ignored. Please only use release tarballs from the QEMU website.
-
Ferdi
Ferdi is a free and opensource all-in-one desktop app that helps you organize how you use your favourite apps
-
privacytools.io
🛡🛠 You are being watched. Protect your privacy against global mass surveillance.
-
-
Reviews and mentions
-
Linux kernel: Heap buffer overflow in fs_context.c since version 5.1
I believe a safer alternative to user namespaces is https://github.com/containers/bubblewrap.
-
Hello, youki! Faster container runtime is written in Rust
What is missing in bubblewrap for you?
-
Ask HN: What's the best way to secure your workstation?
Would you mind elaborating on what's wrong with flatpak? bubblewrap, used by flatpak for isolation, seems less readily escapable than firejail (https://github.com/containers/bubblewrap/blob/master/README....).
(edit: changed link formatting)
-
[Question] Is the Rust Compiler safe?
crosvm mentions minijail, which is a sandboxing tool that can sandbox individual processes in a machine. Other tools in that space are firejail and bubblewrap.
-
Rambox Pro
Nevertheless, Ferdi is effectively a web browser, so it's still a good idea to run it in a sandbox (but make sure any external sandbox doesn't interfere with Chromium's internal sandbox), like Flatpak, firejail (full disclosure: I've also made some commits to firejail), or bubblewrap (out of these, bubblewrap is probably the technically most superior on recent Linux kernels, but somewhat difficult to use).
- Bubblewrap: Unprivileged Sandboxing Tool
-
Thoughts about an article talking about the insecurity of linux
If your threat model is somewhat normal a linux installation is not that bad, more so if you harden it a little. Choose a distro with selinux (or have fun setting it up yourself), use wayland, and to bubblewrap things off, isolate and restrict the more exposed applications like the browser.
- What can a beginner do to secure their system?
-
Linux simple security enable.
If you want to have some more security, enjoy SELinux. Or bwrap. Or Tails. All have their benefits and drawbacks, but in times of ransomware and phishing, they might be more relevant.
-
FreeBSD Implements Unprivileged Chroot
An alternative to unshare is also bubblewrap (https://github.com/containers/bubblewrap) which also sets up a new namespace. You can build up your own new filesystem by binding existing paths into the new root and then run a process within it:
$ mkdir -p root/binwithout being root. (This requires a sysctl to be enabled for unprivileged user namespaces, which is on by default in the kernel.org tree and I think all major distro kernels have it on now. The feature has been in the upstream kernel since 2013.)
If you want to do this at scale, a handy tool is bwrap(1) from https://github.com/containers/bubblewrap . (The README talks about how bwrap is a setuid program to prevent the need for that sysctl, but it also works great as a non-setuid program when that sysctl is enabled, and its value is it has a bunch of handy command-line flags for this sort of thing. We use it extensively at my workplace in non-setuid mode for things that don't quite need containers but need to see alternative root directories etc.)
-
Flatpak – A Security Nightmare
Flatpak handles all that too, all these tools are using the same Linux security primitives. There is really not any difference between them from a security perspective. Technically flatpak is based around bubblewrap which is kind of like an even simpler version of firejail: https://github.com/containers/bubblewrap
-
Transition to Wayland? Native wayland apps? Any compromises?
I've heard about this https://github.com/containers/bubblewrap sometime ago.
-
Firefox 88 combats window.name privacy abuses – Mozilla Security Blog
Flatpak is simpler and more convenient (here's Firefox). You can also use its base technology, Bubblewrap, directly.
-
cap-std: Capability-oriented version of the Rust standard library
You can use bubblewrap for that:
Stats
containers/bubblewrap is an open source project licensed under GNU General Public License v3.0 or later which is an OSI approved license.
Popular Comparisons
Are you hiring? Post a new remote job listing for free.