zlacker

[return to "Sandboxing AI Agents in Linux"]
1. ashish+Qf1[view] [source] 2026-02-03 23:33:08
>>speckx+(OP)
I ended up writing my own sandbox so that it works on Mac OS as well and can be used for other tools (but just AI agents) as well

https://github.com/ashishb/amazing-sandbox

◧◩
2. ATechG+6h1[view] [source] 2026-02-03 23:39:01
>>ashish+Qf1
Curious to know what made you DIY this?
◧◩◪
3. ashish+Ih1[view] [source] 2026-02-03 23:40:53
>>ATechG+6h1
Tell me a better alternative that allows me to run, say, 'markdown lint', an npm package, on the current directory without giving access to the full system on Mac OS?
◧◩◪◨
4. ATechG+fj1[view] [source] 2026-02-03 23:50:10
>>ashish+Ih1
sandbox-exec -f curr_dir_access_profile.sb markdownlint
◧◩◪◨⬒
5. ashish+fl1[view] [source] 2026-02-04 00:00:21
>>ATechG+fj1
So you have to install npm package markdownlint on your machine and let it run it's potentially dangerous postinstall step?
◧◩◪◨⬒⬓
6. ATechG+2r1[view] [source] 2026-02-04 00:35:08
>>ashish+fl1
You can customize curr_dir_access_profile.sb to block access to network/fs/etc. Why is this not enough?
◧◩◪◨⬒⬓⬔
7. ashish+Gt1[view] [source] 2026-02-04 00:52:11
>>ATechG+2r1
Some tools do require Internet access.

Further, I don't even want to take the risk of running 'npm install markdownlint' anymore on my machine.

◧◩◪◨⬒⬓⬔⧯
8. ATechG+HU1[view] [source] 2026-02-04 04:34:12
>>ashish+Gt1
I understand the concern. However, you can customize the profile (e.g., allowlist) to only allow network access to required domains. Also, looks like your sandboxing solution is Docker based, which uses VMs on a Mac machine, but will not use VMs on a Linux machine (weak security).
[go to top]