cachix
implement basic filesystem sandbox
The idea is to transparently sandbox all processes, packages, tasks and scripts to the current directory, without the user having to develop inside a container.
This is currently just an idea. I still have to figure out if it is feasible.
No, this currently only works on Linux and on supported kernels. The sandboxing is "best-effort" and disabled if not supported. Landlock support is pretty good and getting better. Mac has sandbox_init which was deprecated a long time ago, but still used by chrome.
My goal was to start simple and add upon the implementation once we see it work. For example syscall filtering with Seccomp would be really nice. We could also add other implementations like Bubblewrap (user namespaces), but I prefer these lightweight implementations.
I haven't fully thought this through, but I think the filesystem sandboxing could also be used to make the environment more pure, by only allowing access to the shell Nix closure, which would ensure no other packages are accidentally used within the scripts.
Maybe a more feasible apprach would be to run sandboxing at devenv shell and so everything inside is sandboxed?
That would be tricky for loading things like editor config, etc.
That could also work, but my goal was to enable transparent sandboxing. One main advantage of devenv is that development is not within a container, meaning everything else on the host system stays available.
I like that really! Containers come with heavy problems in CI which turns quickly into nested containers which make things hard etc. So a less container approach is really nice
This definitely needs more work and was just an experiment. I wont have any time to develop or think about this until next year.