Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested... - Source: dev.to / 4 months ago
``` This is basically manually invoking what Flatpak does: https://github.com/containers/bubblewrap This is also useful for more than just security. E.G., you can test how your app would behave on a fresh install by masking your user configuration files. I personally also have a tool that uses it to basically bundle all dependencies from an entire Linux... - Source: Hacker News / 8 months ago
To, say, override the KDE plugins while testing. This is useful for me since it's rather challenging during development to actually get KDE apps to reliably load my plugins on NixOS: I think kio slaves are probably wrapped and getting other environments injected into them. Rather than bother with any tricky hacks, Linux namespaces make it relatively easy to test regardless. Bubblewrap is used internally by Flatpak... - Source: Hacker News / 10 months ago
After some research I had nailed down that I would have to use either bubblewrap, PWABuilder or Capacitor. Since all those worked with Progressive Web Apps, I set out to start with building a PWA. - Source: dev.to / 11 months ago
Well, they run inside https://github.com/containers/bubblewrap which is a sandbox system. In Flatpak you can override any "hole" that might be the default. Source: 12 months ago
Apps in ChromeOS are sandboxed regardless. Over at Linux we're trying to achieve 'bandaid-solutions' using tools like bubblewrap and (albeit to a lesser degree) firejail. Note that the term 'bandaid-solutions' was not meant derogatory, I think both bubblewrap and firejail are amazing utilities. However, their best efforts can only do so much in an environment in which privileged access is the norm, rather than the... Source: almost 1 year ago
As for Linux distributions, most of them don't have proper sandboxing of applications. We might get there one day with bubblewrap and Flatpak. Source: about 1 year ago
I don't want to say too much, because I know our security isn't perfect, and some about of obfuscation adds some security. Once we move to a more secure model, I will happily tell you all what use used to use to sandbox code. Soon we'll do real sandboxing, either ourselves through Docker, wasm, bubblewrap[1], etc, or an existing FaaS (Lambda, Deno Deploy, Cloudflare Workers) or FaaSaaS (Deno Subhosting) [1]... - Source: Hacker News / over 1 year ago
Bubblewrap was the foundation of Flatpak and of Valve's Linux namespaces project as well Steam pressure vessel. So then you go to Bubblewrap's Github and low and behold the meta project of it is called "containers" and in the readme they talk about namespaces and OCI images directly. https://github.com/containers/bubblewrap. Source: over 1 year ago
Then, I'd use OS-level sandboxing and resource limiting tools on the subprocess. For example, you could use cpulimit --50 to limit it to 50% of a CPU. A more modern way would be to use Linux cgroups. I also like using Bubblewrap for running untrusted processes within Linux namespaces. Note that some of these things can be tricky to set up if you're already in a Docker container. Source: over 1 year ago
No, it uses bubblewrap, which uses Linux cgroups and a few other linux-specific features that are unrelated to SELinux. From their docs:. Source: over 1 year ago
Actually I am 100% correct and can provide links to all the documentation. Flatpak uses bubblewap to execute an application from within a namespace. Namespaces are a kernel feature that allows the app to run in a completely separate environment, including under a fake user that only exists in that namespace. You can then grant access to whatever you want within the host system, like a single directory, or the... Source: almost 2 years ago
How does this approach for sandboxing compare to the bubblewrap that uses namespaces? https://github.com/containers/bubblewrap. - Source: Hacker News / almost 2 years ago
The "user-friendly" part is always tricky. Maybe you could give bubblewrap a go. I think that it strikes the correct balance between inconvenience and security. I use it to wrap different package managers like npm. https://github.com/containers/bubblewrap. - Source: Hacker News / almost 2 years ago
You could get something like this using a Bubblewrap script. I have one which marks everything but the current directory read only and drops me into a shell in that container. So a similar idea would be to overlay mount your system for that container so you can edit, and then on exit the changes vanish. Might try this actually :) https://github.com/containers/bubblewrap. - Source: Hacker News / almost 2 years ago
I currently use firejail and apparmor. I generally get the ideas- but subuser seems to do something else like chroot containers? Is this outdated? Effective? I also saw bubblewrap, which I do not get the difference between subuser and bubblewrap... Is the hierarchy that bubblewrap can run inside/under subuser? Like how any user can run firejail? Source: about 2 years ago
Since when is sandboxing things a bad thing. And steam btw uses sandboxing on linux, not a full VM but more than the required chroot: It uses bubblewrap, also used by flatpack. Source: about 2 years ago
It's hard to make it practical without linking a whole lot of your local environment in. Remember it's death by a thousand cuts - every time you need some new thing, you just add it without considering the consequences too much. Probably lots of people doing this with their whole home directory linked in read/write. Recently I got a little concerned about this and made myself a basic safety harness with the... - Source: Hacker News / about 2 years ago
Not very good name considering there is sandboxing tool for linux with the same name https://github.com/containers/bubblewrap. - Source: Hacker News / about 2 years ago
My reading of https://github.com/containers/bubblewrap#related-project-comparison-firejail is that it is literally what flatpak uses: > Firejail is similar to Flatpak before bubblewrap was split out. - Source: Hacker News / about 2 years ago
"How does it compare to firejail?" you were going to ask: https://github.com/containers/bubblewrap#related-project-comparison-firejail. You're welcome. - Source: Hacker News / about 2 years ago
Do you know an article comparing Bubblewrap to other products?
Suggest a link to a post with product alternatives.
This is an informative page about Bubblewrap. You can review and discuss the product here. The primary details have not been verified within the last quarter, and they might be outdated. If you think we are missing something, please use the means on this page to comment or suggest changes. All reviews and comments are highly encouranged and appreciated as they help everyone in the community to make an informed choice. Please always be kind and objective when evaluating a product and sharing your opinion.