Add ~/.local/bin/bwrap_tool.sh

Bubblewrap script to run npm and yarn more safely.

dot_local/bin/executable_bwrap_tool.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+#
+# See: https://news.ycombinator.com/item?id=45034496
+
+bin=$(basename "$0")
+
+echo "==========================="
+echo "Wrapping $bin in bubblewrap"
+echo "==========================="
+
+exec bwrap \
+  --bind ~/.cache ~/.cache \
+  --bind "${PWD}" "${PWD}" \
+  --dev /dev \
+  --die-with-parent \
+  --disable-userns \
+  --new-session \
+  --proc /proc \
+  --ro-bind /etc/ca-certificates /etc/ca-certificates \
+  --ro-bind /etc/resolv.conf /etc/resolv.conf \
+  --ro-bind /etc/ssl /etc/ssl \
+  --ro-bind /usr /usr \
+  --setenv PATH /usr/bin \
+  --symlink /usr/bin /bin \
+  --symlink /usr/bin /sbin \
+  --symlink /usr/lib /lib \
+  --symlink /usr/lib64 /lib64 \
+  --tmpfs /tmp \
+  --unshare-all \
+  --unshare-user \
+  --share-net \
+  /usr/bin/env "$bin" "$@"

dot_local/bin/symlink_npm

@@ -0,0 +1 @@
+/home/aorth/.local/bin/bwrap_tool.sh

dot_local/bin/symlink_yarn

@@ -0,0 +1 @@
+/home/aorth/.local/bin/bwrap_tool.sh