From ab7303e1d893f33e09dbc8493f9a9179a7a40a4a Mon Sep 17 00:00:00 2001
From: Mohammad Reza Karimi <m.r.karimi.j@gmail.com>
Date: Thu, 29 Jan 2026 11:40:03 -0500
Subject: updates

---
 scripts/dot-local/bin/safe_extract | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100755 scripts/dot-local/bin/safe_extract

(limited to 'scripts/dot-local/bin/safe_extract')

diff --git a/scripts/dot-local/bin/safe_extract b/scripts/dot-local/bin/safe_extract
new file mode 100755
index 0000000..0574816
--- /dev/null
+++ b/scripts/dot-local/bin/safe_extract
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+(
+    exec bwrap \
+     --ro-bind /usr/bin /usr/bin/ \
+     --ro-bind /usr/share /usr/share \
+     --ro-bind /usr/lib /usr/lib \
+     --ro-bind /usr/lib64 /usr/lib64 \
+     --symlink /usr/lib64 /lib64 \
+     --symlink /usr/lib /lib \
+     --symlink /usr/bin /bin \
+     --symlink /usr/bin /sbin \
+     --proc /proc \
+     --dev /dev \
+     --bind "$PWD" "$PWD" \
+     --unshare-all \
+     --new-session \
+     --seccomp 10 \
+     /usr/bin/ouch decompress "$@"
+)
-- 
cgit v1.2.3-71-gdd5e