Skip to content

Add Linux Bubblewrap sandbox#22240

Open
MikeMcQuaid wants to merge 1 commit into
mainfrom
linux-bubblewrap-sandbox
Open

Add Linux Bubblewrap sandbox#22240
MikeMcQuaid wants to merge 1 commit into
mainfrom
linux-bubblewrap-sandbox

Conversation

@MikeMcQuaid
Copy link
Copy Markdown
Member

@MikeMcQuaid MikeMcQuaid commented May 12, 2026

  • Use bwrap to translate shared sandbox rules into rootless namespace execution.
  • Gate the backend behind HOMEBREW_SANDBOX_LINUX while the Linux policy is still experimental.
  • Reuse preinstall diagnostics to tell opt-in users when bubblewrap is missing.
  • Install bubblewrap in Linux CI and Docker images so test-bot exercises the sandbox path.
  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
  • Have you written new tests (excluding integration tests) for your changes? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?
  • AI was used to generate or assist with generating this PR. Please specify below how you used AI to help you, and what steps you have taken to manually verify the changes. Non-maintainers may only have one AI-assisted/generated PR open at a time.

OpenAI Codex 5.5 xhigh with manual review, (unit not Linux) testing and tweaking.

Base automatically changed from move-macos-sandbox-logic to main May 12, 2026 10:28
@MikeMcQuaid
Add Linux Bubblewrap sandbox
dfdf12d 
- Use `bwrap` to translate shared sandbox rules into rootless
  namespace execution.
- Gate the backend behind `HOMEBREW_SANDBOX_LINUX` while the Linux
  policy is still experimental.
- Auto-install `bubblewrap` from `homebrew/core` when the sandbox is
  enabled and no system or brewed binary is found.
- Prefer a system `bwrap` (from `ORIGINAL_PATHS`) over a brewed one so
  distribution-provided binaries are used when available.
- Install `bubblewrap` in Linux CI and Docker images so test-bot
  exercises the sandbox path.
@MikeMcQuaid MikeMcQuaid force-pushed the linux-bubblewrap-sandbox branch from 3737dfa to dfdf12d Compare May 12, 2026 15:04
p-linnane
p-linnane approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@p-linnane p-linnane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love it!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@p-linnane p-linnane p-linnane approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MikeMcQuaid @p-linnane