Table of contents
Security
Bubblewrap provides enhanced security by allowing applications to run in a sandboxed environment, minimizing the risk of malicious code affecting the host system.
Isolation
It offers strong isolation features by creating a separate filesystem namespace, limiting an application's ability to interact with the host filesystem.
Lightweight
Bubblewrap is a lightweight solution compared to full-fledged container solutions, making it suitable for simple sandboxing without the overhead of containers.
Flexibility
It provides flexibility to configure namespaces, capabilities, and cgroups, allowing fine-grained control over the sandbox environment.
Minimal dependencies
Bubblewrap has minimal dependencies, which makes it easier to install and use across different environments.
We have collected here some useful links to help you find out if Bubblewrap is good.
Check the traffic stats of Bubblewrap on SimilarWeb. The key metrics to look for are: monthly visits, average visit duration, pages per visit, and traffic by country. Moreoever, check the traffic sources. For example "Direct" traffic is a good sign.
Check the "Domain Rating" of Bubblewrap on Ahrefs. The domain rating is a measure of the strength of a website's backlink profile on a scale from 0 to 100. It shows the strength of Bubblewrap's backlink profile compared to the other websites. In most cases a domain rating of 60+ is considered good and 70+ is considered very good.
Check the "Domain Authority" of Bubblewrap on MOZ. A website's domain authority (DA) is a search engine ranking score that predicts how well a website will rank on search engine result pages (SERPs). It is based on a 100-point logarithmic scale, with higher scores corresponding to a greater likelihood of ranking. This is another useful metric to check if a website is good.
The latest comments about Bubblewrap on Reddit. This can help you find out how popualr the product is and what people think about it.
There are some more obvious things you should do (in order): 1. Have backups. You are running software all the time that can corrupt your files either maliciously or, more likely, accidentally. It doesn't really matter where it comes from, 2. Get into the habit of running things in sandboxes. You don't need anything magical here, a separate (unprivileged) user account is a good enough sandbox for many things. I... - Source: Hacker News / 2 months ago
Ariadne Conill, Founder and Distinguished Engineer at Edera, highlighted the necessity for a new low-level container runtime in a recent blog post. Existing solutions like Bubblewrap and util-linuxโs unshare rely heavily on complex command-line interfaces or lack the required programming control, making them error-prone. In contrast, high-level solutions like Kubernetes' Container Runtime Interface (CRI) abstract... - Source: dev.to / 5 months ago
This is exactly what the tool bubblewrap[1] is built for. It is pretty easy to wrap binaries with it and it gives you control over exactly what permissions you want in the namespace. [1]: https://github.com/containers/bubblewrap. - Source: Hacker News / 7 months ago
Another thing to look at is bubblewrap (https://github.com/containers/bubblewrap), which is what implements the sandboxing in Flatpak. It's handy on it's if you want to run a command from your host in a particular sandbox as kind of a one-off. - Source: Hacker News / 7 months ago
> Not requiring the cooperation of developers to opt-in, for starters. True, meaningful in the general case, and completely irrelevant in this particular case, which started with specifically the question of OpenBSD applying the protection in question to its own base system. I actually agree that being able to externally impose a sandbox is super useful, but self-imposed restrictions are perfectly applicable in... - Source: Hacker News / 11 months ago
As an example we will look at man 1 bwrap. Bubblewrap allows us to sandbox an application, not too dissimilar to docker. Flatpaks use bubblewrap as part of their sandbox. Bubblewrap can optionally take in a list of syscalls to filter. The filter is expressed as a BPF(Berkley Packet Filter program - remember when I said docker gives you a friendlier interface to seccomp?) program. Below is a short program... - Source: dev.to / over 1 year ago
I have already been using bubblewrap[1] to isolate KeePassXC from the network and more (the only access it has is to its own private directory and the Wayland socket). I wouldn't recommend relying on devs or maintainers to do application isolation work for you. [1] <https://github.com/containers/bubblewrap>. - Source: Hacker News / over 1 year ago
Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested... - Source: dev.to / almost 2 years ago
``` This is basically manually invoking what Flatpak does: https://github.com/containers/bubblewrap This is also useful for more than just security. E.G., you can test how your app would behave on a fresh install by masking your user configuration files. I personally also have a tool that uses it to basically bundle all dependencies from an entire Linux... - Source: Hacker News / about 2 years ago
To, say, override the KDE plugins while testing. This is useful for me since it's rather challenging during development to actually get KDE apps to reliably load my plugins on NixOS: I think kio slaves are probably wrapped and getting other environments injected into them. Rather than bother with any tricky hacks, Linux namespaces make it relatively easy to test regardless. Bubblewrap is used internally by Flatpak... - Source: Hacker News / about 2 years ago
After some research I had nailed down that I would have to use either bubblewrap, PWABuilder or Capacitor. Since all those worked with Progressive Web Apps, I set out to start with building a PWA. - Source: dev.to / over 2 years ago
Well, they run inside https://github.com/containers/bubblewrap which is a sandbox system. In Flatpak you can override any "hole" that might be the default. Source: over 2 years ago
Apps in ChromeOS are sandboxed regardless. Over at Linux we're trying to achieve 'bandaid-solutions' using tools like bubblewrap and (albeit to a lesser degree) firejail. Note that the term 'bandaid-solutions' was not meant derogatory, I think both bubblewrap and firejail are amazing utilities. However, their best efforts can only do so much in an environment in which privileged access is the norm, rather than the... Source: over 2 years ago
As for Linux distributions, most of them don't have proper sandboxing of applications. We might get there one day with bubblewrap and Flatpak. Source: over 2 years ago
I don't want to say too much, because I know our security isn't perfect, and some about of obfuscation adds some security. Once we move to a more secure model, I will happily tell you all what use used to use to sandbox code. Soon we'll do real sandboxing, either ourselves through Docker, wasm, bubblewrap[1], etc, or an existing FaaS (Lambda, Deno Deploy, Cloudflare Workers) or FaaSaaS (Deno Subhosting) [1]... - Source: Hacker News / over 2 years ago
Bubblewrap was the foundation of Flatpak and of Valve's Linux namespaces project as well Steam pressure vessel. So then you go to Bubblewrap's Github and low and behold the meta project of it is called "containers" and in the readme they talk about namespaces and OCI images directly. https://github.com/containers/bubblewrap. Source: almost 3 years ago
Then, I'd use OS-level sandboxing and resource limiting tools on the subprocess. For example, you could use cpulimit --50 to limit it to 50% of a CPU. A more modern way would be to use Linux cgroups. I also like using Bubblewrap for running untrusted processes within Linux namespaces. Note that some of these things can be tricky to set up if you're already in a Docker container. Source: almost 3 years ago
No, it uses bubblewrap, which uses Linux cgroups and a few other linux-specific features that are unrelated to SELinux. From their docs:. Source: almost 3 years ago
Actually I am 100% correct and can provide links to all the documentation. Flatpak uses bubblewap to execute an application from within a namespace. Namespaces are a kernel feature that allows the app to run in a completely separate environment, including under a fake user that only exists in that namespace. You can then grant access to whatever you want within the host system, like a single directory, or the... Source: about 3 years ago
How does this approach for sandboxing compare to the bubblewrap that uses namespaces? https://github.com/containers/bubblewrap. - Source: Hacker News / about 3 years ago
The "user-friendly" part is always tricky. Maybe you could give bubblewrap a go. I think that it strikes the correct balance between inconvenience and security. I use it to wrap different package managers like npm. https://github.com/containers/bubblewrap. - Source: Hacker News / over 3 years ago
Do you know an article comparing Bubblewrap to other products?
Suggest a link to a post with product alternatives.
Is Bubblewrap good? This is an informative page that will help you find out. Moreover, you can review and discuss Bubblewrap here. The primary details have not been verified within the last quarter, and they might be outdated. If you think we are missing something, please use the means on this page to comment or suggest changes. All reviews and comments are highly encouranged and appreciated as they help everyone in the community to make an informed choice. Please always be kind and objective when evaluating a product and sharing your opinion.
