bubblewrap 0.4.1 Unprivileged sandboxing tool
Bubblewrap is aimed at running applications in a sandbox, restricting their access to parts of the operating system or user data such as the home directory. Bubblewrap always creates a new mount namespace, and the user can specify exactly what parts of the file system should be made visible in the sandbox. These directories are mounted with the
nodev option by default and can be made read-only.