https://blog.gslin.org/archives/2026/03/07/12921/macos-%e4%b8%8a%e7%94%a8-sandbox-exec-%e9%9a%94%e9%9b%a2/

macOS 上用 sandbox-exec 隔離

#agent #app #apple #bubblewrap #bwrap #coding #design #exec #guide #linux #macos #sandbox #SandboxExec #security

https://blog.gslin.org/archives/2026/02/16/12894/linux-%e4%b8%8b%e7%94%a8-bubblewrap-bwrap-%e8%b7%91-claude-code/

Linux 下用 bubblewrap (bwrap) 跑 Claude Code

#bubblewrap #bwrap #claude #code #linux #security

Hardening with Firejail, Landlock, and bubblewrap

Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

#security #linux #bwrap #landlock #firejail

Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)

用 bubblewrap (bwrap) 針對特定程式抽換 /etc/resolv.conf

我家裡的桌機有兩個有線網路，一個是 HiNet 光世代，另外一個是社區網路 (其實出去也是光世代)，像是這篇提到的架構 (只是當時還住在後山埤，另外那條是北都的第四台網路)：「Ubuntu 下面搞 Multi-home 架構」。

我在上面那篇提到要怎麼以 source ip addre

https://blog.gslin.org/archives/2023/11/27/11482/%e7%94%a8-bubblewrap-bwrap-%e9%87%9d%e5%b0%8d%e7%89%b9%e5%ae%9a%e7%a8%8b%e5%bc%8f%e6%8a%bd%e6%8f%9b-etc-resolv-conf/

#Computer #DNS #Murmuring #Network #Service #Software #bubblewrap #bwrap #dns #microsocks #proxy #resolvconf

Here is the zip file trick combined with `bwrap`.

This single-file script allows you to run a command within a mutable/auto-updating mount namespace.

A filesystem in a script.

Code: https://gist.github.com/dutc/759816c8ceb7ab840572f1084c2d7356

#programming #zsh #bwrap #shell #scripting

@technoprenerd Thanks for the read!

It'll be interesting to see how this ties into the ecosystem overall. The strongest component of the project seems to be the hardened/trimmed #kernel.

Perhaps #GPT could even aid in development of #bwrap / #apparmor profiling.