It's the base for Flatpack, the thing that makes Flatpack be sandboxed.
I use it to run Claude Code / Codex / Gemini CLI, to make sure that they have a limited / fake view of my system.
You can bind directories into it, or overlay them into it, restrict other kinds of access.
If Docker is a thing in a scale between a VM and your OS, Bubblewrap is a thing a scale between Docker and your OS. You use your OS, instead of installing and managing an OS like you do with Docker, but you get filesystem and process isolation like with Docker.
Though I had an issue where I cannot use `--new-session`, which is kind of dangerous to not use, but you can get around it if you use seccomp to block ioctl calls, and ptrace.
bubblewrap escapes are not unheard of. Infact, it's a common theme that the general linux landscape lacks strong sandboxing, even if you use bwrap, firejail, etc. Especially linux desktop, a security firehazard to say the least unless you are using QubesOS
I experimented bubblewrap as a better alternative to firejail. Unfortunately there are scripts for few applications. It’s tool for developers. Users are better off flatpaks powered by bubblewrap .
The situation with firejail is different. There are a lot of profiles, and they are easier to customize and write.
But firejail needs root privilege, so there are arguments that it may actually reduce the security, because even though it sandboxes some applications, non-privilege processes may gain privilege if there is a flaw in the fire jail itself.
This would underpin that, right? First you build the namespace primitives, then you put the handy wrapper on top that composes a root fs and spawns a container from it using those namespace primitives
As a side note NetBSD is THE ONLY operating system of which binaries are fully bit by bit reproducible.
Moreover it vendores patched gcc compiler, so the entire toolchain is reproducible as well (gcc is not reproducible)!
Bubblewrap is a really interesting project, really worth checking out.
https://github.com/containers/bubblewrap
It's the base for Flatpack, the thing that makes Flatpack be sandboxed.
I use it to run Claude Code / Codex / Gemini CLI, to make sure that they have a limited / fake view of my system.
You can bind directories into it, or overlay them into it, restrict other kinds of access.
If Docker is a thing in a scale between a VM and your OS, Bubblewrap is a thing a scale between Docker and your OS. You use your OS, instead of installing and managing an OS like you do with Docker, but you get filesystem and process isolation like with Docker.
Though I had an issue where I cannot use `--new-session`, which is kind of dangerous to not use, but you can get around it if you use seccomp to block ioctl calls, and ptrace.
bubblewrap escapes are not unheard of. Infact, it's a common theme that the general linux landscape lacks strong sandboxing, even if you use bwrap, firejail, etc. Especially linux desktop, a security firehazard to say the least unless you are using QubesOS
I experimented bubblewrap as a better alternative to firejail. Unfortunately there are scripts for few applications. It’s tool for developers. Users are better off flatpaks powered by bubblewrap .
I have been using firejail for a long time now. It seem to work well for me. At times I have to write my own profiles, yeah.
The situation with firejail is different. There are a lot of profiles, and they are easier to customize and write.
But firejail needs root privilege, so there are arguments that it may actually reduce the security, because even though it sandboxes some applications, non-privilege processes may gain privilege if there is a flaw in the fire jail itself.
Firejail is also criticized for complexity.
Always nice to see NetBSD posts here, that nice OS gets hardly any press.
I would have loved to see something like OCI containers.
This would underpin that, right? First you build the namespace primitives, then you put the handy wrapper on top that composes a root fs and spawns a container from it using those namespace primitives
bubblewrap popping )) https://brainteaser.top/bubblespop.html