aboutsummaryrefslogtreecommitdiff
path: root/scripts/dot-local/bin/safe_extract
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/dot-local/bin/safe_extract')
-rwxr-xr-xscripts/dot-local/bin/safe_extract21
1 files changed, 21 insertions, 0 deletions
diff --git a/scripts/dot-local/bin/safe_extract b/scripts/dot-local/bin/safe_extract
new file mode 100755
index 0000000..0574816
--- /dev/null
+++ b/scripts/dot-local/bin/safe_extract
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+(
+ exec bwrap \
+ --ro-bind /usr/bin /usr/bin/ \
+ --ro-bind /usr/share /usr/share \
+ --ro-bind /usr/lib /usr/lib \
+ --ro-bind /usr/lib64 /usr/lib64 \
+ --symlink /usr/lib64 /lib64 \
+ --symlink /usr/lib /lib \
+ --symlink /usr/bin /bin \
+ --symlink /usr/bin /sbin \
+ --proc /proc \
+ --dev /dev \
+ --bind "$PWD" "$PWD" \
+ --unshare-all \
+ --new-session \
+ --seccomp 10 \
+ /usr/bin/ouch decompress "$@"
+)
generated by cgit v1.2.3-71-gdd5e (git 2.46.0) at 2026-03-19 07:31:40 +0000