As a developer I often need to run code I cannot trust, especially dependencies from NodeJS and Python projects, on my dev machine. In order to protect my system from potentially malicious code, I built NixWrap, an adhoc sandboxing tool for NixOS.
E.g. npm install can be wrapped with wrap -n npm install to gain network access and write access to the current working directory.
NixWrap wraps bubblewrap (oh dear), running it with convenient defaults and offering easy to use command line flags to toggle custom options. An invocation to NixWrap is typically way shorter than the bubblewrap equivalent.
Oh hey, I remember working on something very similar a year ago, albeit with different intentions. Your project actually reminded me of my own, and I found it super ironic that my project is mentioned in yours. Awesome stuff, I think ease-of-use bwrap sandboxing of any form is a gold mine for NixOS configurations and I’m glad to see more people tapping into it.
Nice! I was looking for a way to wrap android studio.
I saw it was already bubblewrapped by /nix/store/qp4381aaw05fqznzafw7kymiwarql9ql-android-studio-stable-2025.1.4.8-fhs-env-2025.1.4.8/bin/android-studio-stable-2025.1.4.8-fhs-env so my first attempt was to just “fork” that file and change the auto_mounts to only include the relevant parts of my home dir, which works, but of course will fail when I upgrade.
Your package seems like a much better solution, does one just nix profile add github:rti/nixwrap#wrap?