Linux Sandboxing with bwrap

2022-07-20

1. Getting started
2. Use --bind
3. Use --tmpfs

Bubblewrap is a simple user space tool on linux that can be used to sandbox programs.

It has several advantages:

Does not require root permission
Configuration is simple
Code base is small, makes it easy to audit¹

By default, bwrap create a new mount namespace for the container, which means the sandboxed programs cannot access your root directory.

1. Getting started

bwrap \
    --dev-bind / / \
    bash

With the command above, sandboxed programs will be able to access your root directory.

(--dev-bind instead of --bind means device access will be allowed, thus the program can use /dev for device access.)

2. Use `--bind`

bwrap \
    --dev-bind / / \
    --bind /opt/bash "$HOME" \
    bash

Usually, you may not want programs to access certain directories, but the programs may require those directories in order to run.

Then you can use --bind argument.

With commands above, all files bash created under its $HOME directory will actually be saved to /opt/bash directory, and it cannot access your real $HOME directory.

3. Use `--tmpfs`

bwrap \
    --dev-bind / / \
    --tmpfs "$HOME" \
    bash

Sometimes, you may not wish the files generated by the program to be preserved, then instead of --bind, you can use --tmpfs.

With the command above, $HOME directory will be a tmpfs filesystem for bash. This means:

It still cannot access your real $HOME directory
Everything it created in its own $HOME directory will be discarded after the process exits

Footnotes:

which means less security bugs, contrast to firejail

Linux Sandboxing with bwrap

Table of Contents

1. Getting started

2. Use --bind

3. Use --tmpfs

Footnotes:

2. Use `--bind`

3. Use `--tmpfs`