bubblewrap
by
containers

Description: Low-level unprivileged sandboxing tool used by Flatpak and similar projects

View on GitHub ↗

Summary Information

Updated 30 minutes ago
Added to GitGenius on November 21st, 2022
Created on February 16th, 2016
Open Issues & Pull Requests: 186 (+0)
Number of forks: 362
Total Stargazers: 7,905 (+4)
Total Subscribers: 55 (+0)

Issue Activity (beta)

Open issues: 57
New in 7 days: 0
Closed in 7 days: 0
Avg open age: 985 days
Stale 30+ days: 55
Stale 90+ days: 44

Recent activity

Opened in 7 days: 0
Closed in 7 days: 0
Comments in 7 days: 0
Events in 7 days: 0

Top labels

  • enhancement (5)
  • help wanted (4)
  • needs info (3)
  • bug (2)
  • invalid (1)

Most active issues this week

No issue events were indexed in the last 7 days.

Repository Insights (GitGenius)

Median issue/PR response: 6.9 hours
Mean response time: 364.5 days
90th percentile: 1414.2 days
Tracked items: 120

Most active contributors

Detailed Description

Bubblewrap is a low-level unprivileged sandboxing tool written in C that enables container features for regular users without requiring root privileges. It serves as a foundational component for larger container projects like Flatpak and is designed specifically to address the security limitations of traditional container tools such as systemd-nspawn and Docker, which are unsuitable for unprivileged users because they can trivially be exploited to gain full root access on the host system.

The tool leverages Linux kernel user namespaces to construct sandboxes safely. User namespaces allow unprivileged users to access container features that were previously restricted to administrators. Bubblewrap's codebase has historical roots in the xdg-app helper and linux-user-chroot projects, representing an evolution of unprivileged sandboxing approaches. The project no longer supports setuid mode, having fully committed to user namespace-based operation.

Bubblewrap operates by creating a new, completely empty mount namespace with a tmpfs root that is invisible from the host and automatically cleaned up when processes exit. Users can then construct the root filesystem and process environment through command-line options. The tool always creates a new mount namespace and allows users to specify exactly which filesystem parts should be visible in the sandbox. By default, mounted directories are marked nodev and can be made read-only.

The sandboxing capabilities include support for multiple Linux kernel features. User namespaces hide all but the current uid and gid from the sandbox while allowing uid/gid remapping. IPC namespaces provide isolated System V shared memory and semaphores. PID namespaces prevent the sandbox from seeing external processes and include a trivial pid1 implementation to handle child reaping, addressing the Docker pid 1 zombie problem. Network namespaces isolate the sandbox network with only a loopback device. UTS namespaces provide isolated hostnames. Seccomp filters restrict which system calls are available in the sandbox.

Security is enforced through PR_SET_NO_NEW_PRIVS to disable setuid binaries, closing the traditional chroot escape vector. The maintainers believe bubblewrap does not enable privilege escalation even when combined with typical distribution software, though it may increase denial of service capabilities for logged-in users.

Importantly, bubblewrap is a tool for constructing sandboxes rather than a complete ready-made sandbox with a specific security policy. The level of protection between sandboxed processes and the host is entirely determined by command-line arguments. Frameworks like Flatpak, libgnome-desktop, and sandwine are responsible for defining their own security models and choosing appropriate bubblewrap arguments.

The project shows active maintenance with a median issue and pull request response latency of 6.9 hours across 120 tracked items. Top contributors include smcv with 186 events and rusty-snake with 66 events. Enhancement requests and help-wanted issues are the most active labels. The repository overlaps with major projects including microsoft/vscode, rust-lang/rust, and microsoft/typescript through shared contributors, indicating its integration into broader ecosystems.

Bubblewrap is available in most Linux distribution package repositories and can be built from source using meson. The tool is used by Flatpak, rpm-ostree unprivileged mode, and bwrap-oci, with potential applications in Kubernetes and OpenShift clusters for enabling unprivileged user container features in interactive debugging scenarios.

bubblewrap
by
containerscontainers/bubblewrap

Repository Details

Fetching additional details & charts...