utility for unprivileged chroot and namespace manipulation

 bubblewrap uses Linux namespaces to launch unprivileged containers.
 These containers can be used to sandbox semi-trusted applications such
 as Flatpak apps, image/video thumbnailers and web browser components,
 or to run programs in a different library stack such as a Flatpak runtime
 or a different Debian release.
 .
 By default, this package relies on a kernel with user namespaces enabled.
 Official Debian and Ubuntu kernels are suitable.
 .
 On kernels without user namespaces, system administrators can make the
 bwrap executable setuid root, allowing it to create unprivileged
 containers even though ordinary user processes cannot.