dontusethiscodeHere is the zip file trick combined with `bwrap`.
This single-file script allows you to run a command within a mutable/auto-updating mount namespace.
A filesystem in a script.
Code: https://gist.github.com/dutc/759816c8ceb7ab840572f1084c2d7356
Description & explanation:
You pass a command to execute, and it executes in an empty, isolated environment, saving its state back to the script on exit.
The script uses `bwrap` to create a new mount namespace and mounts a tmpfs on ~. It unzips the script file (which is actually a zip file) into ~. (Zipfiles can have arbitrary data at the beginning.) When the command terminates, the script zips the directory and appends the new state back to itself.
“One Simple Trick Your Virus Scanner Will Hate”
Here's a version that uses age to encrypt the .zip file.
(Keeping it as a .zip is not particularly useful in this case, unless you were to encrypt individual files rather than the entire directory…)
First run: `bwrap-vault - > key.txt`
Subsequent runs: `bwrap-vault key.txt COMMAND …`
Code: https://gist.github.com/dutc/759816c8ceb7ab840572f1084c2d7356#file-bwrap-vault-zsh
Okay, here's a version with git where the zip portion contains only public files.
① zsh script that's also a .zip archive
② contains an age-encrypted private directory tree which contains a .git directory
③ contains a public directory tree which is visible in the external .zip archive
④ single-file, auto-updated, isolated environment
Code: https://gist.github.com/dutc/759816c8ceb7ab840572f1084c2d7356#file-git-vault-zsh
Now someone just has to add signing.