Hi,
I’m pleased to announce the first release of bwrap, a simple library to fork executables in a sandboxed environment — with an interface similar to Unix.open_process — thanks to bubblewrap (Linux only).
Enjoy and do not hesitate to report issues!
C.
5 Likes
Great!
Would be nice to have a cross platform sandboxed execution utility — on macOS one can use sandbox-exec for that.
1 Like
Yes, I thought about that but sandbox-exec is fairly different from bwrap an I do not have a Mac to test. So I propose that someone owning a Mac submit a PR for a separate library and then a third one can be built on top abstracting the common features of the two.
2 Likes
That’s a good idea. For anyone who wants to take this on, the relevant macos code from opam’s sandboxing support is here: opam/src/state/shellscripts/sandbox_exec.sh at master · ocaml/opam · GitHub
(opam 2.0+ uses bubblewrap on Linux and sandbox-exec on macOS to sandbox source builds to within the ~/.opam directory build area)
4 Likes