sandboxed-discocaml.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

#!/bin/sh
set -eu

tmp=$(mktemp)
cleanup()
{
	if [ -e "$tmp" ]; then
		rm "$tmp"
	fi
}
trap cleanup EXIT

rm "$tmp"
nix build -o "$tmp" .#discocaml
bindir="$(realpath "$tmp")/bin"

exec \
timeout 10 \
env -i \
"$(which bwrap)" --unshare-all --ro-bind "$bindir" "/" \
"/discocaml" "$@"