logoalt Hacker News

phaselezatoday at 6:14 AM0 repliesview on HN

Thanks for the suggestions. I've used debootstrap to build a Debian rootfs for bwrap before, but my threat model is simpler: nothing sensitive lives outside $HOME on my machine. So I just ro-bind the system dirs I need and give the sandbox a tmpfs home (one-shot apps) or a persistent fake home (stateful apps, under ~/.var/app/<appname>). This is good enough for my case.

The gvisor layering looks promising though. I'll take a look and see if it would be useful.