bwrap - container setup utility
bwrap [OPTION...] [COMMAND]
bwrap is a privileged helper for container setup. You are unlikely to use it directly from the commandline, although that is possible.
It works by creating a new, completely empty, filesystem namespace where the root is on a tmpfs that is invisible from the host, and which will be automatically cleaned up when the last process exits. You can then use commandline options to construct the root filesystem and process environment for the command to run in the namespace.
By default, bwrap creates a new mount namespace for the sandbox. Optionally it also sets up new user, ipc, pid, network and uts namespaces (but note the user namespace is required if bwrap is not installed setuid root). The application in the sandbox can be made to run with a different UID and GID.
If needed (e.g. when using a PID namespace) bwrap is running a minimal pid 1 process in the sandbox that is responsible for reaping zombies. It also detects when the initial application process (pid 2) dies and reports its exit status back to the original spawner. The pid 1 process exits to clean up the sandbox when there are no other processes in the sandbox left.
When options are used multiple times, the last option wins, unless otherwise specified.
Options related to kernel namespaces:
This is incompatible with --unshare-user, and doesn't work in the setuid version of bubblewrap.
This is useful because sometimes bubblewrap itself creates nested user namespaces (to work around some kernel issues) and --userns2 can be used to enter these.
Note that this can be combined with --unshare-pid, and in that case it means that the sandbox will be in its own pid namespace, which is a child of the passed in one.
Options about environment setup:
--setenv VAR VALUE
Options for monitoring the sandbox from the outside:
Filesystem related options. These are all operations that modify the filesystem directly, or mounts stuff in the filesystem. These are applied in the order they are given as arguments. Any missing parent directories that are required to create a specified destination are automatically created as needed.
--bind SRC DEST
--bind-try SRC DEST
--dev-bind SRC DEST
--dev-bind-try SRC DEST
--ro-bind SRC DEST
--ro-bind-try SRC DEST
--file FD DEST
--bind-data FD DEST
--ro-bind-data FD DEST
--symlink SRC DEST
Note: In a general sandbox, if you don't use --new-session, it is recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise the application can feed keyboard input to the terminal.
The bwrap command returns the exit status of the initial application process (pid 2 in the sandbox).