You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*[How does it compare with AppArmor?](#how-does-it-compare-with-apparmor)
*[How does it compare with Docker, LXC, nspawn, bubblewrap ?](#how-does-it-compare-with-docker-lxc-nspawn-bubblewrap)
*[What is the overhead of the sandbox?](#what-is-the-overhead-of-the-sandbox)
*[Can I sandbox a full OS?](#can-i-sandbox-a-full-os)
## Applications
*[Firefox doesn’t open in a new sandbox.](#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance)
Expand DownExpand Up
@@ -86,6 +87,11 @@ Comparison of Firejail features vs. bubblewrap:
The sandbox itself is a very small process. The setup is fast, typically several milliseconds. After the application is started, the sandbox process goes to sleep and doesn’t consume any resources. All the security features are implemented inside the kernel, and run at kernel speed.
## Can I sandbox a full OS?
The idea so far was to target specific applications, such as Firefox and Chromium, or closed source apps like Steam and Skype. We are moving in the direction of sandboxing a full OS, but it will take some time to get there.