Comment by sterlind
1 day ago
I use nix + bwrap, which gives a similar result. it works well enough, though I really ought to restrict reads to only the closure.
1 day ago
I use nix + bwrap, which gives a similar result. it works well enough, though I really ought to restrict reads to only the closure.
> I use nix + bwrap
In an automated way, or have implemented as hand-written wrappers? And regardless, have you published the code (and/or talked about how it works) anywhere? It'd be really nice to have a gentler onramp to sandboxing things, and nix should be well-placed for it.
an automated way, as part of a tree-based harness. I haven't published the code yet but should hopefully be able to soon!
Could you point me at a blog or github or something I can follow to see it if you do publish?