[ANN] First release of bwrap



I’m pleased to announce the first release of bwrap, a simple library to fork executables in a sandboxed environment — with an interface similar to Unix.open_process — thanks to bubblewrap (Linux only).
Enjoy and do not hesitate to report issues!



Would be nice to have a cross platform sandboxed execution utility — on macOS one can use sandbox-exec for that.


Yes, I thought about that but sandbox-exec is fairly different from bwrap an I do not have a Mac to test. So I propose that someone owning a Mac submit a PR for a separate library and then a third one can be built on top abstracting the common features of the two.


That’s a good idea. For anyone who wants to take this on, the relevant macos code from opam’s sandboxing support is here: https://github.com/ocaml/opam/blob/master/src/state/shellscripts/sandbox_exec.sh

(opam 2.0+ uses bubblewrap on Linux and sandbox-exec on macOS to sandbox source builds to within the ~/.opam directory build area)