https://l3net.wordpress.com/projects/firejail/<p>Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.<p>$ firejail firefox # starting Mozilla Firefox<p>$ firejail transmission-gtk # starting Transmission BitTorrent<p>$ firejail vlc # starting VideoLAN Client<p>$ sudo firejail "/etc/init.d/nginx start && sleep inf"
Look a lot like containers. But docker is a bit more than that, the first that jumped to my attention is what is related to filesystem (layered images, repositories, CoW image+running container fs, volumes) seem to be missing. It runs everything in the normal filesystem by default?<p>The ecosystem build around it (compose, kubernetes, weave, machine, swarm, etc) will be missing too.<p>Its desktop app focus made me remember of <a href="http://subuser.org/" rel="nofollow">http://subuser.org/</a> that is docker based, but maybe it have less requirements.<p>But is another voice in the container space, and could be more fitting than other alternatives for some use cases.
It looks like more of a complement to docker than an alternative. Docker does a good job of making apps/services deployable without really having to care about the infrastructure underneath. One of Docker's current issues is a lack of security (a security breach in one container can be exploited to access other containers on the same machine since containers share resources with each other)<p>If I'm reading the documentation correctly, this doesn't do virtualization ala freebsd jails or true containers but is more like a chroot jail, which grants a locked-down view of a filesystem