alt Hacker News> I use nix + bwrap
In an automated way, or have implemented as hand-written wrappers? And regardless, have you published the code (and/or talked about how it works) anywhere? It'd be really nice to have a gentler onramp to sandboxing things, and nix should be well-placed for it.
an automated way, as part of a tree-based harness. I haven't published the code yet but should hopefully be able to soon!