updates

author: Mohammad Reza Karimi <m.r.karimi.j@gmail.com> 2026-01-29 11:40:03 -0500
committer: Mohammad Reza Karimi <m.r.karimi.j@gmail.com> 2026-01-29 11:40:03 -0500
commit: ab7303e1d893f33e09dbc8493f9a9179a7a40a4a (patch)
tree: aaa279dd2282ef48f4f684768ccb422e0dab30fe /scripts/dot-local/bin/safe_extract
parent: e2a70a92822b22633562e9695c300efec2b5cbeb (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/scripts/dot-local/bin/safe_extract b/scripts/dot-local/bin/safe_extract
new file mode 100755
index 0000000..0574816
--- /dev/null
+++ b/scripts/dot-local/bin/safe_extract
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+(
+    exec bwrap \
+     --ro-bind /usr/bin /usr/bin/ \
+     --ro-bind /usr/share /usr/share \
+     --ro-bind /usr/lib /usr/lib \
+     --ro-bind /usr/lib64 /usr/lib64 \
+     --symlink /usr/lib64 /lib64 \
+     --symlink /usr/lib /lib \
+     --symlink /usr/bin /bin \
+     --symlink /usr/bin /sbin \
+     --proc /proc \
+     --dev /dev \
+     --bind "$PWD" "$PWD" \
+     --unshare-all \
+     --new-session \
+     --seccomp 10 \
+     /usr/bin/ouch decompress "$@"
+)
author	Mohammad Reza Karimi <m.r.karimi.j@gmail.com>	2026-01-29 11:40:03 -0500
committer	Mohammad Reza Karimi <m.r.karimi.j@gmail.com>	2026-01-29 11:40:03 -0500
commit	ab7303e1d893f33e09dbc8493f9a9179a7a40a4a (patch)
tree	aaa279dd2282ef48f4f684768ccb422e0dab30fe /scripts/dot-local/bin/safe_extract
parent	e2a70a92822b22633562e9695c300efec2b5cbeb (diff)