Run whatever in a sandbox via firejail with a bit more convinience

sandbox-run

#!/usr/bin/env bash
set -e

usage() {
  echo "usage: $0 <command> -a <writable_path> [-a <writable_path>...]"
  exit 1
}

if [ "$#" -lt 3 ]; then
  usage
fi

# Split first arg into command and its flags
read -ra CMD_PARTS <<< "$1"
CMD="${CMD_PARTS[0]}"
CMD_ARGS=("${CMD_PARTS[@]:1}")
shift

# Collect -a arguments
WRITABLE_PATHS=()
while [ "$#" -gt 0 ]; do
  case "$1" in
    -a)
      shift
      [ -z "$1" ] && usage
      WRITABLE_PATHS+=("$(readlink -f "$1" 2>/dev/null || echo "$1")")
      shift
      ;;
    *)
      break
      ;;
  esac
done

if [ "${#WRITABLE_PATHS[@]}" -eq 0 ]; then
  echo "error: at least one -a <writable_path> required"
  exit 1
fi

# Resolve command to full path
export PATH="$HOME/.local/bin:$HOME/.node/bin:$PATH"
CMD_PATH="$(which "$CMD" 2>/dev/null || readlink -f "$CMD")"

if [ ! -x "$CMD_PATH" ]; then
  echo "error: cannot find executable: $CMD"
  exit 1
fi

# Build firejail args
FIREJAIL_ARGS=(
  --noprofile
  --read-only=/
  --read-only=/home
)

for P in "${WRITABLE_PATHS[@]}"; do
  FIREJAIL_ARGS+=(--noblacklist="$P" --read-write="$P")
done

exec firejail "${FIREJAIL_ARGS[@]}" "$CMD_PATH" "${CMD_ARGS[@]}" "$@"