With the rise of things like AI agents wanting to run commands on my computer, I wanted a way to let them do that but in a safe environment. `sandbox` is a tool that utilizes built in Linux features like namespaces and OverlayFS to create essentially a container that looks and feels pretty much identical to my host machine, but any changes made are done in a staging area that I can later accept or reject changes from. There's also a crude network on/off toggle so if I'm running something I don't trust not to send data off to malicious actor, I can sandbox it without network access.
While my own use case primarily revolves around letting AI agents run amok in their own sandboxes, it's meant to be general purpose and I could see it being useful for some development tasks like testing file migrations or other file management tasks where you want to snapshot and discard frequently. Another use case I'll be using it for is to vet installing things from whatever trendy shell based installer that expects you to curl pipe a shell script into sudo bash, and in general running things I don't fully trust not to inadvertently mess something up on my computer.
This is the initial public release. I've been using it internally for a couple of months now and I think I have most of the serious issues squashed, but I'm sure there are some issues and many improvements to be made, feedback and bug reports are appreciated.
d3Xt3r · 1h ago
I wonder if this could also be used on immutable distros as a way to make temporary or even semi-permanent changes, like installing a system-level app such as a VPN (I ask because the built-in layering solution on distros like Fedora Atomic isn't ideal).
Assuming there is a use case for immutables, what I don't understand is the "sync" business - if the overlay sits on top of the host and sees the host's files, why does it need to "sync" exactly? So say I have an app installed in the sandbox, and I upgraded the OS to the latest edition—what would be the behaviour in the sandbox, and what's the best solution for that? Like, do I need to even run a sync in the first place, if I rebooted the machine? What does the sync do exactly in this instance? And I'm guessing any changes made inside the sandbox would get overridden? Say the app modified /etc/resolv.conf in the sandbox, would a sync override that file? Would the best solution be to reinstall the app(s) in the sandbox, or delete and recreate the sandbox and then reinstall everything inside? Probably best do this on every boot then I suppose, via a script or something?
While my own use case primarily revolves around letting AI agents run amok in their own sandboxes, it's meant to be general purpose and I could see it being useful for some development tasks like testing file migrations or other file management tasks where you want to snapshot and discard frequently. Another use case I'll be using it for is to vet installing things from whatever trendy shell based installer that expects you to curl pipe a shell script into sudo bash, and in general running things I don't fully trust not to inadvertently mess something up on my computer.
This is the initial public release. I've been using it internally for a couple of months now and I think I have most of the serious issues squashed, but I'm sure there are some issues and many improvements to be made, feedback and bug reports are appreciated.
Assuming there is a use case for immutables, what I don't understand is the "sync" business - if the overlay sits on top of the host and sees the host's files, why does it need to "sync" exactly? So say I have an app installed in the sandbox, and I upgraded the OS to the latest edition—what would be the behaviour in the sandbox, and what's the best solution for that? Like, do I need to even run a sync in the first place, if I rebooted the machine? What does the sync do exactly in this instance? And I'm guessing any changes made inside the sandbox would get overridden? Say the app modified /etc/resolv.conf in the sandbox, would a sync override that file? Would the best solution be to reinstall the app(s) in the sandbox, or delete and recreate the sandbox and then reinstall everything inside? Probably best do this on every boot then I suppose, via a script or something?