I’m pleased to announce the first release of bwrap, a simple library to fork executables in a sandboxed environment — with an interface similar to
Unix.open_process — thanks to bubblewrap (Linux only).
Enjoy and do not hesitate to report issues!
Would be nice to have a cross platform sandboxed execution utility — on macOS one can use
sandbox-exec for that.
Yes, I thought about that but
sandbox-exec is fairly different from
bwrap an I do not have a Mac to test. So I propose that someone owning a Mac submit a PR for a separate library and then a third one can be built on top abstracting the common features of the two.
That’s a good idea. For anyone who wants to take this on, the relevant macos code from opam’s sandboxing support is here: https://github.com/ocaml/opam/blob/master/src/state/shellscripts/sandbox_exec.sh
(opam 2.0+ uses bubblewrap on Linux and sandbox-exec on macOS to sandbox source builds to within the
~/.opam directory build area)