From 1800320e47e4393c259801097c0668902dfe07df Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Wed, 17 Sep 2025 08:22:51 +0300 Subject: [PATCH] Add ~/.local/bin/bwrap_tool.sh Bubblewrap script to run npm and yarn more safely. --- dot_local/bin/executable_bwrap_tool.sh | 32 ++++++++++++++++++++++++++ dot_local/bin/symlink_npm | 1 + dot_local/bin/symlink_yarn | 1 + 3 files changed, 34 insertions(+) create mode 100644 dot_local/bin/executable_bwrap_tool.sh create mode 100644 dot_local/bin/symlink_npm create mode 100644 dot_local/bin/symlink_yarn diff --git a/dot_local/bin/executable_bwrap_tool.sh b/dot_local/bin/executable_bwrap_tool.sh new file mode 100644 index 0000000..70e3c93 --- /dev/null +++ b/dot_local/bin/executable_bwrap_tool.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +# +# See: https://news.ycombinator.com/item?id=45034496 + +bin=$(basename "$0") + +echo "===========================" +echo "Wrapping $bin in bubblewrap" +echo "===========================" + +exec bwrap \ + --bind ~/.cache ~/.cache \ + --bind "${PWD}" "${PWD}" \ + --dev /dev \ + --die-with-parent \ + --disable-userns \ + --new-session \ + --proc /proc \ + --ro-bind /etc/ca-certificates /etc/ca-certificates \ + --ro-bind /etc/resolv.conf /etc/resolv.conf \ + --ro-bind /etc/ssl /etc/ssl \ + --ro-bind /usr /usr \ + --setenv PATH /usr/bin \ + --symlink /usr/bin /bin \ + --symlink /usr/bin /sbin \ + --symlink /usr/lib /lib \ + --symlink /usr/lib64 /lib64 \ + --tmpfs /tmp \ + --unshare-all \ + --unshare-user \ + --share-net \ + /usr/bin/env "$bin" "$@" diff --git a/dot_local/bin/symlink_npm b/dot_local/bin/symlink_npm new file mode 100644 index 0000000..8cf49d4 --- /dev/null +++ b/dot_local/bin/symlink_npm @@ -0,0 +1 @@ +/home/aorth/.local/bin/bwrap_tool.sh diff --git a/dot_local/bin/symlink_yarn b/dot_local/bin/symlink_yarn new file mode 100644 index 0000000..8cf49d4 --- /dev/null +++ b/dot_local/bin/symlink_yarn @@ -0,0 +1 @@ +/home/aorth/.local/bin/bwrap_tool.sh