Explore integration of bwrap for enhanced protections #142
Description
Some ill written workflows can go astray, and they could try writing outside the expected sandbox, overwriting some input or writing in some input or workflow directory.
bwrap is a low level command line tool which is used by FlatPak and other tools. It uses both linux cgroups and namespaces to be able to create a sandbox where the running program is constrained.
The ultimate target is that every command run by WfExS-backend is run in their corresponding bubblewrapped sandbox, starting with the workflow engine and container materialisation commands.