feat: add homebrew-sandbox subpackage

.github/workflows/lint.yml

@@ -21,20 +21,14 @@ jobs:
     name: REUSE spec compliance
     runs-on: ubuntu-slim
     steps:
-      - name: Install dependencies
-        shell: bash
-        run: |
-          sudo apt update
-          sudo apt install reuse
-
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Check REUSE compliance
         shell: bash
         run: |
-          reuse lint
+          pipx run reuse lint
 
   rpmlint:
     name: Lint RPM spec

.gitignore

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: NONE
+#
+# SPDX-License-Identifier: CC0-1.0
+
+/target

Cargo.toml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: Copyright 2026 Daniel Hast
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+[workspace]
+resolver = "3"
+members = ["brew-sandbox"]

README.md

@@ -3,6 +3,7 @@
 <!-- SPDX-License-Identifier: Apache-2.0 -->
 
 # Homebrew
+
 [![homebrew](https://img.shields.io/badge/dynamic/json?color=blue&label=homebrew&query=builds.latest.source_package.version&url=https%3A%2F%2Fcopr.fedorainfracloud.org%2Fapi_3%2Fpackage%3Fownername%3Dsecureblue%26projectname%3Dpackages%26packagename%3Dhomebrew%26with_latest_build%3DTrue)](https://copr.fedorainfracloud.org/coprs/secureblue/packages/package/homebrew/)
 
 This repository packages [Homebrew](https://brew.sh/) for Linux as an RPM
@@ -20,10 +21,32 @@ then copies this installation to `/home/linuxbrew` and transfers ownership of it
 to UID 1000. The package also sets up systemd services to automatically update
 Homebrew, as well as shell completions for the bash and fish shells.
 
+## Sandbox
+
+This repository also contains a `homebrew-sandbox` package that provides
+sandboxing for the brew command using the [Landlock LSM](https://landlock.io/).
+It works by wrapping the brew command in a simple Rust program that sets up the
+Landlock sandbox and then passes its arguments on to brew.
+
+Note that only brew itself is sandboxed, not programs intalled using brew.
+
+The sandbox allows brew the follow access:
+
+- Read-write access to `/home/linuxbrew/.linuxbrew`, `/home/linuxbrew/.cache`,
+  `/var/tmp/homebrew`, and a limited subset of `/dev`;
+- Read-only access to `/usr`, `/etc`, `/home/linuxbrew`, and `/proc/cpuinfo`;
+- Network access to port 443 only.
+
+This sandbox can be disabled by setting `_HOMEBREW_SANDBOX=0`, either as an
+environment variable or in `/etc/homebrew/brew-sandbox.env`.
+
+(You can also set the environment variable `_HOMEBREW_SANDBOX_DEBUG` to have the
+wrapper program print debug info showing whether the sandbox is active.)
+
 ## Credit
 
-Various files, including the systemd unit files and shell completion scripts,
-are adapted from
+Various files, including some of the systemd unit files and shell completion
+scripts, are adapted from
 [Universal Blue's Homebrew packaging](https://github.com/ublue-os/brew) and
 [BlueBuild's brew module](https://github.com/blue-build/modules/tree/main/modules/brew)
 and are redistributed under the terms of the Apache-2.0 license.

REUSE.toml

@@ -0,0 +1,6 @@
+version = 1
+
+[[annotations]]
+path = "Cargo.lock"
+SPDX-FileCopyrightText = "NONE"
+SPDX-License-Identifier = "CC0-1.0"

brew-sandbox/Cargo.toml

@@ -0,0 +1,16 @@
+# SPDX-FileCopyrightText: Copyright 2026 Daniel Hast
+#
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+
+[package]
+name = "brew-sandbox"
+version = "0.1.0"
+edition = "2024"
+authors = ["Daniel Hast"]
+license = "Apache-2.0 OR MIT"
+
+[dependencies]
+anyhow = "1.0.100"
+landlock = "0.4.4"
+tracing = "0.1.43"
+tracing-subscriber = "0.3.20"