implement basic filesystem sandbox #1783
Conversation
LorenzBischof
force-pushed
the
push-uvwrmtustnww
branch
3 times, most recently
from
67f281d to
3e66c51
Compare
|
If this works on macOS, I'll be damned :) |
|
No, this currently only works on Linux and on supported kernels. The sandboxing is "best-effort" and disabled if not supported. Landlock support is pretty good and getting better. Mac has My goal was to start simple and add upon the implementation once we see it work. For example syscall filtering with Seccomp would be really nice. We could also add other implementations like Bubblewrap (user namespaces), but I prefer these lightweight implementations. I haven't fully thought this through, but I think the filesystem sandboxing could also be used to make the environment more pure, by only allowing access to the shell Nix closure, which would ensure no other packages are accidentally used within the scripts. |
LorenzBischof
force-pushed
the
push-uvwrmtustnww
branch
2 times, most recently
from
b0c7c6b to
1211fbf
Compare
LorenzBischof
force-pushed
the
push-uvwrmtustnww
branch
from
1211fbf to
6927ad3
Compare
|
Maybe a more feasible apprach would be to run sandboxing at That would be tricky for loading things like editor config, etc. |
|
That could also work, but my goal was to enable transparent sandboxing. One main advantage of devenv is that development is not within a container, meaning everything else on the host system stays available. |
|
I like that really! Containers come with heavy problems in CI which turns quickly into nested containers which make things hard etc. So a less container approach is really nice |
The idea is to transparently sandbox all processes, packages, tasks and scripts to the current directory, without the user having to develop inside a container.
This is currently just an idea. I still have to figure out if it is feasible.