LinuxCommandLibrary

bwrap

Create lightweight unprivileged sandboxes

TLDR

Run a program in a read-only environment

$ bwrap --ro-bind / / [/bin/bash]
copy
Give access to devices, process info, and tmpfs
$ bwrap --dev-bind /dev /dev --proc /proc --ro-bind / / --tmpfs /tmp [/bin/bash]
copy

SYNOPSIS

bwrap [options] command [arguments]

DESCRIPTION

bwrap (bubblewrap) creates lightweight sandboxes using Linux namespaces. It provides unprivileged containers for running applications with restricted access to the filesystem, network, and other system resources.
The tool is commonly used by Flatpak and other sandboxing systems to isolate applications from the host system.

PARAMETERS

--ro-bind src dest

Bind mount source read-only at destination
--bind src dest
Bind mount source read-write at destination
--dev-bind src dest
Bind mount source with device access
--proc dest
Mount procfs at destination
--tmpfs dest
Mount tmpfs at destination
--unshare-pid
Create new PID namespace
--unshare-net
Create new network namespace
--unshare-user
Create new user namespace

CAVEATS

Requires user namespaces to be enabled in the kernel. Not a complete security boundary; some attack vectors may still exist. Complex sandboxing requires careful bind mount configuration.

SEE ALSO

firejail(1), flatpak(1), unshare(1)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community