[ANN] First release of bwrap

Hi,
I’m pleased to announce the first release of bwrap, a simple library to fork executables in a sandboxed environment — with an interface similar to Unix.open_process — thanks to bubblewrap (Linux only).
Enjoy and do not hesitate to report issues!
C.

5 Likes

Great!

Would be nice to have a cross platform sandboxed execution utility — on macOS one can use sandbox-exec for that.

1 Like

Yes, I thought about that but sandbox-exec is fairly different from bwrap an I do not have a Mac to test. So I propose that someone owning a Mac submit a PR for a separate library and then a third one can be built on top abstracting the common features of the two.

2 Likes

That’s a good idea. For anyone who wants to take this on, the relevant macos code from opam’s sandboxing support is here: opam/src/state/shellscripts/sandbox_exec.sh at master · ocaml/opam · GitHub

(opam 2.0+ uses bubblewrap on Linux and sandbox-exec on macOS to sandbox source builds to within the ~/.opam directory build area)

4 Likes