mgord9518 / aisap

Tool to make sandboxing AppImages easy
MIT License
37 stars 3 forks source link
go golang linux sandbox

aisap

AppImage SAndboxing Project (pronounced /eɪsæp/): a tool to help sandbox AppImages through bwrap.

EARLY DEVELOPMENT! Many parts of this are subject to change and should be expected to until it reaches a more stable form.

What is it?

aisap intends to be a simple way to implement Android/Flatpak style sandboxing with AppImages. It has a profile system, but it intends to keep it as basic as possible, making it easier to understand what a program actually requires to run without dealing with the hassle of individually cherry-picking files.

It currently has a basic re-implementaion of the go-appimage API, so modifying existing Go programs to include sandboxing should be fairly painless

Using aisap:

  1. aisap cli
  2. aisap Go implementation
  3. aisap Zig implementation (DOCS WIP) (IMPLEMENTATION NOT YET USABLE)

(there's also some very early C bindings, which will be implemented in Zig. I will begin working on the docs as soon as I feel the C API is sufficiently usable.)

The ultimate goal is to have as many AppImages in aisap's internal library as possible, while smaller, less known apps may request their own permssions per the developer. Running programs sandboxed should mostly be seamless and feel native with the system

For additional information on the permission system, see here

As it is currently, the main aisap implementation requires a squashfuse binary to function. I have attempted to create Go squashfuse bindings with essentially zero success, so it will likely remain that way for the forseeable future. Luckily, I have started working on a Zig implementation of aisap, and due to Zig's extremely easy C interop, I already have some pretty decent Zig squashfuse bindings to use. Don't expect the Zig implementation to be done super soon, but it should be completely self-contained once it is and I will probably replace the main CLI tool with it.