sandboxed runtime
also: sandbox, isolated runtime, containerized runtime
A runtime environment that executes applications in an isolated, restricted container with limited access to system resources, preventing the application from affecting the host system or other applications.
A sandboxed runtime creates a secure execution boundary around an application, restricting what it can access on the host system. The application runs inside this isolated environment with only explicitly granted permissions to files, network, hardware, and other system resources.
Common examples include Flatpak, Snap, and Firejail, which isolate desktop applications from the broader system. Web browsers also use sandboxing to run JavaScript and display untrusted content safely. If a sandboxed application is compromised, the attacker's access is limited to what the sandbox permits—they cannot directly access sensitive files or compromise the rest of the system.
Sandboxed runtimes typically use technologies like Linux namespaces, cgroups, and seccomp to enforce these restrictions, giving users fine-grained control over what system resources each application can use.