Sandbox¶
zoryn runs scripts from .gear/up.d/ and .gear/merge-up.d/ in a sandbox to protect sensitive files (~/.ssh, ~/.gnupg, ~/.config) from untrusted repository scripts.
Setup¶
Install bubblewrap for lightweight sandboxing:
For hybrid mode (bwrap + hasher chroot with the package's build dependencies):
Runner modes¶
| Runner | Description |
|---|---|
hybrid | bwrap + hasher chroot — uses the package's build dependencies (default when both tools are installed) |
bwrap | bubblewrap only — lightweight namespace isolation with host system paths |
direct | No isolation — full filesystem access (not recommended) |
The runner is auto-detected: hybrid if both bwrap and hsh are available, bwrap if only bwrap, otherwise direct.
If the configured runner is unavailable, zoryn prompts for confirmation before running hooks without isolation. In non-interactive mode, execution is refused. Use --no-sandbox to skip the prompt and run without sandboxing.
Configuration¶
In ~/.zoryn:
[sandbox]
runner = "hybrid"
path = "/usr/bin:/bin"
[sandbox.chroot]
prepare = "gear-hsh --commit -- --mountpoints=/proc,/dev/pts,/dev/kvm --lazy-cleanup --build-srpm-only"
[sandbox.hasher]
workdir = "~/hasher"
Per-project (~/.config/zoryn/projects.d/<project>.toml):
[sandbox]
runner = "hybrid"
[sandbox.chroot]
prepare = "gear-hsh --commit -- --mountpoints=/proc,/dev/pts,/dev/kvm --lazy-cleanup --build-srpm-only"
Additional packages¶
In .gear/version-up:
The git package is always installed. Packages listed here are installed after chroot preparation via hsh-install.
CLI flags¶
zoryn up --sandbox=hybrid # use hybrid (default)
zoryn up --sandbox=bwrap # use bubblewrap with host paths
zoryn up --no-sandbox # disable sandbox entirely
How hybrid works¶
In hybrid mode, hasher prepares a chroot populated with the package's build dependencies (parsed from the spec file), and bwrap runs scripts using paths from that chroot. This gives both filesystem isolation and access to required tools without needing setuid privileges at runtime.