Well this is coming from a security researcher who knows a lot about Linux security issues so I think they know what they're doing unless someone proves me wrong or smth
Bubblewrap is pretty much able to do around 90% of the stuff systemd already does in terms of sandboxing without having to get its features reimplemented in the init system itself
There are use cases for sandboxing a whole bootstrap process (https://github.com/fosslinux/live-bootstrap) or just building a few packages in an isolated environment (as done by a few package build systems), so I'm pretty sure that is sufficient on its own along with seccomp
Bubblewrap has a large amount of CLI options if you have specific requirements in mind, it's very polyvalent
Even ChromeOS has a tool for similar purposes (https://google.github.io/minijail/)
stilic's alt
npub13v…6afrn
2026-05-06 04:48:39 UTC
in reply to nevent1q…gar6
Author Public Key
npub13v048y7apfmjn56vm4x4wnc67s7r94z2a5xe9qy29zr0g3dvfu6s56afrnSeen on
wss://relay.momostr.pinkPublished at
2026-05-06 04:48:39 UTCEvent JSON
{
"id": "1e9d8adaebd14b75339cba73cb025a16ba6c2d8f09fa8a29f8bcf5f210c9c3f6",
"pubkey": "8b1f5393dd0a7729d34cdd4d574f1af43c32d44aed0d92808a2886f445ac4f35",
"created_at": 1778042919,
"kind": 1,
"tags": [
[
"p",
"b722505fad84427ed1681d2c31bbf17aa2513dec3984064fe692d9a14f7973b3"
],
[
"e",
"ed4239d3c77310862ee1962bfb02888a20d0eb7ce01fb5d958807eb00c0faf94",
"",
"reply",
"942c10115a2cdd4888690927864b3fcfce9a044dfec0740a041690048ac431ea"
],
[
"e",
"9e214ee9b8d162009b2e91754beb82703414a1fe6d4a33c0b3b83cd3b5582a0a",
"",
"root",
"942c10115a2cdd4888690927864b3fcfce9a044dfec0740a041690048ac431ea"
],
[
"p",
"942c10115a2cdd4888690927864b3fcfce9a044dfec0740a041690048ac431ea"
],
[
"p",
"8b1f5393dd0a7729d34cdd4d574f1af43c32d44aed0d92808a2886f445ac4f35"
],
[
"proxy",
"https://social.oss.zone/objects/d8d81762-9134-4fa6-978f-2207339b8233",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://social.oss.zone/objects/d8d81762-9134-4fa6-978f-2207339b8233",
"pink.momostr"
],
[
"-"
]
],
"content": "Well this is coming from a security researcher who knows a lot about Linux security issues so I think they know what they're doing unless someone proves me wrong or smth\n\nBubblewrap is pretty much able to do around 90% of the stuff systemd already does in terms of sandboxing without having to get its features reimplemented in the init system itself\n\nThere are use cases for sandboxing a whole bootstrap process (https://github.com/fosslinux/live-bootstrap) or just building a few packages in an isolated environment (as done by a few package build systems), so I'm pretty sure that is sufficient on its own along with seccomp\n\nBubblewrap has a large amount of CLI options if you have specific requirements in mind, it's very polyvalent\nEven ChromeOS has a tool for similar purposes (https://google.github.io/minijail/)",
"sig": "a06a3971b4bb9b230f60f2be42a4bf26ca8a7450601da58b4bd001b042b7abf360578421b3cc2e70aaf6992d89fbe3ed56cb096109ea2a8f21d1159da06ed364"
}