Run suspicious executable in isolation/sandbox on linux (via systemd-run)

run-sus-command.fish

#!/bin/fish

if test (count $argv) -lt 1
    echo run-sus-command '*proc*' >&2
    exit 1
end

# running as current (unprivileged?) user
set args --user
# running in foreground
set -a args --pty

# read-only file system
set -a args --property=ProtectSystem=strict
# read-only $HOME and /run/user/$UID ($XDG_RUNTIME_DIR)
set -a args --property=ProtectHome=read-only
# disable external network
set -a args --property=PrivateNetwork=true
# disable user's groups' privileges
set -a args --property=PrivateUsers=true
# separate writable /tmp
set -a args --property=PrivateTmp=true
# providing access to X server
set -a args --property=BindReadOnlyPaths=/tmp/.X11-unix

set exe $argv[1]
# if command is a relative path
if string match -q --regex '^[^/]+/' $exe
    # resolving canonical path
    set exe (readlink -f $PWD/$exe)

    # running isolated process in $PWD
    # will fail, if $PWD and $exe both in $HOME, but in different subtrees
    # because only $exe subtree will be mounted
    set -a args --same-dir
end

# NB: main use-case
# if command is an executable file in $HOME
if test (string sub -l (string length $HOME/) $exe) = $HOME/
    if string match -q --regex ':' $exe
        echo Nope. Just no. >&2
        exit 2
    end

    # making empty writable dir for mounting as $HOME
    mkdir -p $exe-home-tree
    set -a args "--property=BindPaths=$exe-home-tree:$HOME"

    # mounting read-only dir containing $exe (potentially with libraries and resources)
    # inside writable $HOME
    set dir (dirname $exe)
    set -a args "--property=BindReadOnlyPaths=$dir"
end

systemd-run $args $argv