FUSE file system to create virtual sandboxes
sandboxfs is a FUSE file system that exposes a combination of multiple files and directories from the host’s file system in the form of a virtual tree with an arbitrary layout. You can think of a sandbox as an arbitrary view into the host’s file system with different access privileges per directory.
sandboxfs is designed to allow running commands with limited access to the file system by using the virtual tree as their new root, and to do so consistently across a variety of platforms.
sandboxfs was originally created to improve the performance of Bazel sandboxed builds on macOS, but it can be used in other scenarios. (I had the goal of putting it to use in pkg_comp, but this hasn’t happened yet.)