Limit access to files specified as input

[fho]

To ensure that all inputs of a command are specified, prevent that a command can access other files in the repository.

15.12.2022 I'm working on realizing it the following way:

• use linux namespaces (user, mount) to be able to mount directories as non-root user,
• mount the repository directory as overlayFS to a temporary directory,
• remove all files the overlayFS that are not tracked files of a task (with some exceptions: .baur.toml, .git/)
• bind-mount the overlayFS over the original repository-directory path

The executed process will run in the original directory but only the input-files of the task are accessible.

[fho]

alternative: https://github.com/shoenig/go-landlock