alt Hacker NewsI use nix + bwrap, which gives a similar result. it works well enough, though I really ought to restrict reads to only the closure.
I use nix + bwrap, which gives a similar result. it works well enough, though I really ought to restrict reads to only the closure.
> I use nix + bwrap
In an automated way, or have implemented as hand-written wrappers? And regardless, have you published the code (and/or talked about how it works) anywhere? It'd be really nice to have a gentler onramp to sandboxing things, and nix should be well-placed for it.