Show HN: BVisor – An Embedded Bash Sandbox, 2ms Boot, Written in Zig

Show HN: BVisor – An Embedded Bash Sandbox, 2ms Boot, Written in Zig github.com/butter-dot-dev...

bVisor is an SDK and runtime for safely executing bash commands directly on your host machine. We built it on the belief that "sandbox" doesn't need to mean shipping off to remote sandbox products, or spinning up local VMs / containers. Sometimes, you just want to run that bash command locally.

bVisor boots a sandbox from user-space without special permissions, powered by seccomp user notifier. This allows us to intercept syscalls from guest processes and selectively virtualize them to block privilege escalation, isolate process visibility, and keep filesystem changes isolated per sandbox (copy-on-write). Sandboxes boot in 2ms, and can run arbitrary binaries at native speed (with minor overhead per syscall). This approach is heavily inspired by Google's gVisor.

As of today, bVisor supports most filesystem operations, basic file I/O, and can run complex binaries such as python interpreters. It is packaged as a Typescript SDK and installable via npm. There's much to still implement (such as outbound network access to support 'curl', shipping a python SDK, etc), but we wanted to share it here for feedback and anyone who'd be able to make use of the current featureset!

JoshPurtell · 20 days ago

Have been testing this in dev and really like the performance so far

edunteman · 20 days ago

Hell yeah, love to hear it! Happy to answer any questions or issues you run into

cztomsik · 18 days ago

I see that you did the NAPI bridging yourself - not that there's anything wrong with that but you might be interested in this tiny lib I wrote some time ago https://github.com/cztomsik/napigen

edunteman · 18 days ago

Your repo was actually a major point of reference! Thank you for open sourcing it. Ironically when I first got into zig I built a similar generator for python bridging which your project reminded me of https://github.com/erik-dunteman/zigpy

Ultimate decision for not using a bindings generator was primarily to deeply understand NAPI.

cztomsik · 13 days ago

great to hear I could help :) yeah, no worries - I totally understand :)

vrn21 · 20 days ago

so user gets all of the dependencies and apps in userspace to run as well? but each of the command runs in its own more secure shell of some sorts?

Correct, your PATH resolves to your local tools as if it was unprotected bash, but syscalls are filtered/virtualized

vrn21 · 19 days ago

from a utilitarian perspective, can we swap this instead of a e2b or some other provider? since this doesnt require n number of micrvovm kernals and rootfs hanging round?