A powerful and flexible application isolation tool for Linux that uses bubblewrap to create secure, isolated environments for running applications. Isolator provides enhanced security features, GUI application support, and configurable isolation levels.
- ๐ Enhanced security with customizable seccomp profiles
- ๐ฅ๏ธ Full GUI application support (X11 and Wayland)
- ๐ Advanced filesystem isolation with overlay support
- ๐ก๏ธ Multiple security levels with fine-grained controls
- ๐ฎ YAML-based application profiles
- ๐ Resource monitoring and limits
- ๐ Comprehensive logging and debugging
- โก Performance optimization with cgroup support
- ๐ ๏ธ Flexible configuration system
- Python 3.8 or higher
- Linux operating system
- bubblewrap package installed (
sudo apt install bubblewrapORsudo apt install bwrapon Debian/Ubuntu)
pip install isolatorgit clone https://github.com/venopyx/isolator.git
cd isolator
pip install -e .NOTE: If you're using Kali Linux, consider using
pipxinplace ofpip.
Run any application in an isolated environment:
# Run Firefox in isolation
isolator firefox
# Run VS Code in isolation
isolator code
# Run VLC media player in isolation
isolator vlcYou can pass arguments to the isolated application:
# Open a specific URL in Firefox
isolator -- firefox https://github.com
# Open a file in VS Code
isolator -- code myproject/
# Play a specific file in VLC
isolator -- vlc myvideo.mp4Use
--to pass arguments to the isolated application, so it's not treated as a flag byisolator.
# Run with minimal isolation
isolator --isolation-level minimal firefox
# Run with standard isolation (default)
isolator --isolation-level standard firefox
# Run with strict isolation
isolator --isolation-level strict firefoxEach isolation level provides different security features:
minimal: Basic process and filesystem isolationstandard: Adds display server isolation and basic security featuresstrict: Maximum isolation including network restrictions and enhanced seccomp filtering
# Run with memory limit
isolator --memory 2G firefox
# Run with CPU limit
isolator --cpu 50 firefox
# Run with combined limits
isolator --memory 2G --cpu 50 --io-weight 100 firefoxCreate custom YAML profiles in ~/.config/isolator/profiles/:
name: CUSTOM_BROWSER
mounts:
- /usr/share/fonts
- /usr/share/chrome
devices:
- /dev/dri
capabilities:
- CAP_SYS_ADMIN
resource_limits:
memory_limit: "2G"
cpu_limit: 50Then use your custom profile:
isolator --profile CUSTOM_BROWSER chrome# Explicitly set browser profile
isolator --profile BROWSER chrome
# Use multimedia profile for media applications
isolator --profile MULTIMEDIA vlc
# Development profile for IDEs and tools
isolator --profile DEVELOPMENT codeAvailable profiles:
BASIC: Default profile for general applicationsBROWSER: Optimized for web browsersMULTIMEDIA: Configured for media applicationsDEVELOPMENT: Tailored for development toolsGRAPHICS: Optimized for graphics applications
# Run with persistent storage
isolator --persist ~/my-isolated-data firefox
# Run with persistent storage and strict isolation
isolator --persist ~/my-isolated-data --isolation-level strict firefox# Run without network access
isolator --no-network firefox
# Run with network access (default)
isolator firefox# Run without GUI support
isolator --no-gui application
# Run with GUI support (default)
isolator application# Enable debug logging
isolator --debug firefoxIsolator respects and manages various environment variables:
# Set custom temporary directory
export ISOLATOR_TMP_DIR=/path/to/tmp
isolator firefox
# Set custom XDG runtime directory
export XDG_RUNTIME_DIR=/run/user/1000
isolator firefoxIsolator provides several security features:
-
Filesystem Isolation:
- Read-only system directories
- Isolated home directory
- Temporary writable storage
-
Process Isolation:
- Separate PID namespace
- IPC isolation
- User namespace isolation (in strict mode)
-
Network Isolation:
- Optional network access
- Configurable network restrictions
-
Display Server Isolation:
- Secure X11/Wayland access
- Protected cookie handling
# Run Chrome with persistent profile
isolator --persist ~/.chrome-isolated \
--profile BROWSER \
google-chrome
# Run Firefox in strict mode
isolator --isolation-level strict \
--profile BROWSER \
firefox# Run VS Code with custom storage
isolator --persist ~/.vscode-isolated \
--profile DEVELOPMENT \
code myproject/
# Run PyCharm with debug logging
isolator --debug \
--profile DEVELOPMENT \
--persist ~/.pycharm-isolated \
pycharm# Run VLC with multimedia profile
isolator --profile MULTIMEDIA \
--persist ~/.vlc-isolated \
vlc
# Run OBS Studio with network access
isolator --profile MULTIMEDIA \
--persist ~/.obs-isolated \
obsIsolator supports configuration files for persistent settings:
# ~/.config/isolator/config.ini
[default]
isolation_level = standard
persist_dir = ~/.isolated-data
network_enabled = true
gui_enabled = true
debug = false
[browser]
profile = browser
persist_dir = ~/.browser-isolated
[development]
profile = development
persist_dir = ~/.dev-isolated-
Application fails to start:
# Check with debug logging isolator --debug application -
Display issues:
# Verify X11 socket access isolator --debug --profile BROWSER firefox -
Network problems:
# Test network connectivity isolator --debug application
Enable detailed logging for troubleshooting:
isolator --debug application 2> debug.logContributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Gemechis Chala - gladsonchala@gmail.com
Project Link: https://github.com/venopyx/isolator
Distributed under the MIT License. See LICENSE for more information.