jail.nix - A library to easily jail your NixOS derivations in Bubblewrap (nixcon2025)

Given the amount of software written in memory unsafe languages, and the rise in supply chain attacks, I prefer to run as much software as possible within some kind of security boundary (mostly using bubblewrap and qemu). Bubblewrap is the sandboxing tool at the core of Flatpak, but it is intentionally designed to be very low level. Using bubblewrap, one can write wrappers for every package on their system, but getting the flags right can be error prone, and often lead to annoying debug cycles to get a program to run correctly. jail.nix is a nix library I have been working on to make wrapping Nix derivations in bubblewrap jails more ergonomic by using higher level combinators to achieve concrete objectives (like giving a program access to the network, or allowing it to render to a Wayland compositor). The library is open source, the source can be found here: https://git.sr.ht/~alexdavid/jail.nix This talk will give a tour of the features of jail.nix and how to integrate it with a NixOS configuration. about this event: https://talks.nixcon.org/nixcon-2025/talk/3QH3PZ/