I installed Greywall and wanted to verify linux support:
❯ greywall check
greywall - lightweight, container-free sandbox for running untrusted commands
Version: 0.2.8
Built: 2026-03-20T02:21:12Z
Commit: bb4f688d312ef7fd391feb11a3fcb745d06ec366
Platform: linux (kernel 6.8)
Checking system capabilities:
✓ bubblewrap
✓ socat
✓ seccomp
✓ landlock (v4)
✓ D-Bus isolated (notify-send proxied via xdg-dbus-proxy)
✓ xdg-dbus-proxy
✗ secret-tool — optional, injects keyring credentials (gh, glab) into sandbox
✗ network isolation (missing: network namespace)
✓ greyproxy (v0.3.3)
✓ greyproxy running (SOCKS5 :43052, DNS :43053)
Dashboard: http://localhost:43080
Next steps:
1. sudo apt install libsecret-tools
2. sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
3. echo 'kernel.apparmor_restrict_unprivileged_userns=0' | sudo tee /etc/sysctl.d/99-greywall-userns.conf
4. Run 'greywall check' again to verify
IMO, the recommendation to disable the userns restriction permanently is a bit heavy handed. Ubuntu recommends making app level exceptions for tools that should legitimately be able to use it. That can be accomplished with:
sudo apt install apparmor-profiles
sudo cp /usr/share/apparmor/extra-profiles/bwrap-userns-restrict /etc/apparmor.d/
sudo systemctl reload apparmor
I'd recommend changing the instructions and/or making a docs page which explains the tradeoffs. The current recommendation is fine for CI but probably not what a dev would want to use on their daily driver.
Thanks.
I installed Greywall and wanted to verify linux support:
IMO, the recommendation to disable the userns restriction permanently is a bit heavy handed. Ubuntu recommends making app level exceptions for tools that should legitimately be able to use it. That can be accomplished with:
I'd recommend changing the instructions and/or making a docs page which explains the tradeoffs. The current recommendation is fine for CI but probably not what a dev would want to use on their daily driver.
Thanks.