pub const TRUSTED_BWRAP_PATHS: &[&str];Expand description
Root-owned locations where bwrap lives on a correctly-provisioned
Linux host. Order matters: NixOS system profile first (nix hosts
almost always have this), then the Determinate / single-user nix
profile, then distro-packaged /usr/bin, then manual installs.
A non-root attacker can’t write to any of these on a standard
Linux system, so resolving through them short-circuits the
$PATH planting vector. Linux-only: bwrap doesn’t run on macOS
or Windows, and typical macOS install paths (e.g. /opt/homebrew)
are owned by the installing admin user, not root, so including
them here would re-introduce the planting vector we’re closing.