{"id":16320374,"url":"https://github.com/fgaz/nix-bubblewrap","last_synced_at":"2025-03-22T21:32:11.439Z","repository":{"id":83563266,"uuid":"462058562","full_name":"fgaz/nix-bubblewrap","owner":"fgaz","description":"Nix - bubblewrap integration (mirror)","archived":false,"fork":false,"pushed_at":"2025-03-16T23:58:16.000Z","size":22,"stargazers_count":18,"open_issues_count":0,"forks_count":2,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-17T00:27:49.933Z","etag":null,"topics":["bubblewrap","nix","nixos","sandboxing"],"latest_commit_sha":null,"homepage":"https://sr.ht/~fgaz/nix-bubblewrap","language":"Tcl","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"eupl-1.2","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fgaz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-21T22:56:27.000Z","updated_at":"2025-03-16T23:58:20.000Z","dependencies_parsed_at":"2024-10-28T15:07:31.324Z","dependency_job_id":"ff8fcb40-ae1f-4d7f-ac07-749fef457b32","html_url":"https://github.com/fgaz/nix-bubblewrap","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fgaz%2Fnix-bubblewrap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fgaz%2Fnix-bubblewrap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fgaz%2Fnix-bubblewrap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fgaz%2Fnix-bubblewrap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fgaz","download_url":"https://codeload.github.com/fgaz/nix-bubblewrap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245022932,"owners_count":20548622,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bubblewrap","nix","nixos","sandboxing"],"created_at":"2024-10-10T22:44:09.996Z","updated_at":"2025-03-22T21:32:11.421Z","avatar_url":"https://github.com/fgaz.png","language":"Tcl","funding_links":[],"categories":[],"sub_categories":[],"readme":"# nix-bubblewrap\n\n**[Nix](https://nixos.org) - [bubblewrap](https://github.com/containers/bubblewrap) integration**\n\n## Why\n\nIn a typical Linux system, bubblewrap is run like this:\n\n    bwrap --ro-bind /usr /usr --proc /proc --dev /dev --unshare-pid bash\n\nWith Nix, one would have to replace `/usr` with `/nix/store`...\nbut\n[all kinds](https://search.nixos.org/options?channel=unstable\u0026sort=relevance\u0026type=packages\u0026query=password)\n[of stuff](https://search.nixos.org/options?channel=unstable\u0026sort=relevance\u0026type=packages\u0026query=secret)\nyou may not want an attacker to see can end up in the store.\nBinding individual store paths can also be a pain since the whole closure is\nneeded.\nThis script automates that process.\nAdditional flags to add permissions in a nixos-specific way\n(eg. keeping `/run/opengl-driver` and `/etc/ssl` into account)\nare provided.\n\n## Installation\n\nBoth a traditional default.nix and a flake are provided. Install with:\n\n    $ nix-env -f . -i\n\nor:\n\n    nix install\n\n## Usage\n\n    nix-bwrap [OPTIONS] COMMAND ...\n\nRun `nix-bwrap -help` to list the available options.\n\nExamples:\n\n    $ nix-shell -p hello --run \"nix-bwrap hello\"\n    Hello, world!\n    $ nix-shell -p tree --run \"nix-bwrap tree -L 3 /\"\n    /\n    `-- nix\n        `-- store\n            |-- 0ldsqvqp3y1bn6852ymksfa2kfkr3dkb-tree-1.8.0\n            |-- 563528481rvhc5kxwipjmg6rqrl95mdx-glibc-2.33-56\n            |-- qbdsd82q5fyr0v31cvfxda0n0h7jh03g-libunistring-0.9.10\n            `-- scz4zbxirykss3hh5iahgl39wk9wpaps-libidn2-2.3.2\n\n    6 directories, 0 files\n\n### Wrapping\n\nIn `lib.nix` (`lib` output in the flake) there are wrapper functions to create\nwrapped versions of existing packages.\nFor example:\n\n    with import ./lib.nix {};\n    wrapPackage {\n      package = (import \u003cnixpkgs\u003e {}).firefox;\n      options = [\n        \"-x11\"\n        \"-gpu\"\n        \"-net\"\n        \"-pulse\"\n      ];\n    }\n\n## Troubeshooting\n\n### Missing `-gpu`\n\nThe following messages may indicate the application requires the `-gpu` flag:\n\n* `Can't find icudtl.dat`\n\n### Missing `-x11`\n\nThe following messages may indicate the application requires the `-x11` flag:\n\n* `Missing X server or $DISPLAY`\n\n## Contributing\n\nYou can send patches to my\n[public-inbox mailing list](https://lists.sr.ht/~fgaz/public-inbox)\nor to any of the contacts listed at [fgaz.me/about](https://fgaz.me/about).\nOr you can send a pull request to the\n[GitHub mirror](https://github.com/fgaz/nix-bubblewrap).\n\nIssues are tracked at https://todo.sr.ht/~fgaz/nix-bubblewrap\n\n## Alternatives\n\nUsing `writeReferencesToFile` or `closureInfo` from nixpkgs, the same can be\nmade to work entirely within nix, without needing an external program such as\nthis one.\nWhy does this tool exist then?\nBecause when only using `writeReferencesToFile` at build time, wrappers of\nprograms that need access to resources such as `/etc/ssl` would need to have\naccess to the same expressions as the NixOS system, and that can become\ntroublesome for user environments and shells.\nWith `nix-bwrap` there are no such problems, at a small runtime cost.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffgaz%2Fnix-bubblewrap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffgaz%2Fnix-bubblewrap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffgaz%2Fnix-bubblewrap/lists"}