indexpost archiveatom feed

Linux Sandboxing with bwrap


Table of Contents

Bubblewrap is a simple user space tool on linux that can be used to sandbox programs.

It has several advantages:

By default, bwrap create a new mount namespace for the container, which means the sandboxed programs cannot access your root directory.

1. Getting started

bwrap \
    --dev-bind / / \

With the command above, sandboxed programs will be able to access your root directory.

(--dev-bind instead of --bind means device access will be allowed, thus the program can use /dev for device access.)

2. Use --bind

bwrap \
    --dev-bind / / \
    --bind /opt/bash "$HOME" \

Usually, you may not want programs to access certain directories, but the programs may require those directories in order to run.

Then you can use --bind argument.

With commands above, all files bash created under its $HOME directory will actually be saved to /opt/bash directory, and it cannot access your real $HOME directory.

3. Use --tmpfs

bwrap \
    --dev-bind / / \
    --tmpfs "$HOME" \

Sometimes, you may not wish the files generated by the program to be preserved, then instead of --bind, you can use --tmpfs.

With the command above, $HOME directory will be a tmpfs filesystem for bash. This means:

  1. It still cannot access your real $HOME directory
  2. Everything it created in its own $HOME directory will be discarded after the process exits



which means less security bugs, contrast to firejail