bubblewrap

[mocore]

https://github.com/containers/bubblewrap

Many container runtime tools like systemd-nspawn, docker, etc. focus on providing infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers.

These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into a fully privileged root shell on the host.

....
Bubblewrap could be viewed as setuid implementation of a subset of user namespaces.
....
The original bubblewrap code existed before user namespaces - it inherits code from [1]xdg-app helper which in turn distantly derives from [2]linux-user-chroot.

1- https://cgit.freedesktop.org/xdg-app/xdg-app/tree/common/xdg-app-helper.c?id=4c3bf179e2e4a2a298cd1db1d045adaf3f564532

2- https://git.gnome.org/browse/linux-user-chroot


it appears to be in the repo

http://www.tinycorelinux.net/15.x/x86_64/tcz/bwrap.tcz.info ( thanks to juanito  )

http://www.tinycorelinux.net/15.x/x86_64/tcz/src/bwrap/compile_bwrap


and this is seemingly the relevant forum section

is any one using it ?! ( other than as a dependency of some other package ? ... the only search results appeared to be mentioned as a dependency )

[nick65go]

Code: [Select]

❯ ls -al ./bwrap.static
.rwxr-xr-x 138k abc  9 Sep  2025  ./bwrap.static

~/Downloads
❯ ldd ./bwrap.static
        statically linkedSo, it seams interesting reading its "man bwrap" what this 138KB (from Alpine Linux) can do.Like creating a tmpfs empty + populating it from invocation parameters (or later from commands inside virtual root) with files from host. It use linux namespace, and can be, or not, setuid. Searching the forum, no much info about bwrap (except fault in flatpack because missing noembeded boot-parameter in TC). As an ad-hoc container, it seams "better" than chroot, Appimage, flatpack. My interest is to run Firefox (all programs exposed to internet) in bwrap. PS: here a sample how a GUI application can run from bwrap https://wiki.alpinelinux.org/wiki/Bubblewrap

[nick65go]

Code: [Select]

❯ bwrap \
          --ro-bind /usr /usr \
          --symlink usr/lib64 /lib64 \
          --proc /proc \
          --dev /dev \
          --unshare-pid \
          --new-session \
          bash
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.3$ ps
    PID TTY          TIME CMD
      1 ?        00:00:00 bwrap
      2 ?        00:00:00 bash
      3 ?        00:00:00 ps
bash-5.3$ ls -al /
total 4
drwxr-xr-x   5  1000  1000  120  1. Jän 23:09 .
drwxr-xr-x   5  1000  1000  120  1. Jän 23:09 ..
drwxr-xr-x   4  1000  1000  340  1. Jän 23:09 dev
lrwxrwxrwx   1  1000  1000    9  1. Jän 23:09 lib64 -> usr/lib64
dr-xr-xr-x 350 65534 65534    0  1. Jän 23:09 proc
drwxr-xr-x  10 65534 65534 4096 31. Dez 11:57 usr
bash-5.3$


This is to show that is no need to copy files on by one (except someone paranoid).
The RAM consumed is 170KB for bwrap + 2,2MB for bash. I wander where is the size of /usr, 
It seams this tmpfs (in RAM) is not seen by host... but is consumed.

[Rich]

Hi nick65go

... Searching the forum, no much info about bwrap (except fault in flatpack because missing noembeded boot-parameter in TC). ...

It's not missing. It's spelled  noembed , not  noembeded.
https://forum.tinycorelinux.net/index.php/topic,27908.msg180478.html#msg180478