zlacker

[parent] [thread] 7 comments
1. mike_h+(OP)[view] [source] 2025-05-30 15:20:42
Which platforms do you use?
replies(1): >>simonw+A4
2. simonw+A4[view] [source] 2025-05-30 15:46:43
>>mike_h+(OP)
macOS on my laptop, anything that runs in a container for when I deploy things.
replies(3): >>tough+i8 >>ericb+lp >>mike_h+2H1
◧◩
3. tough+i8[view] [source] [discussion] 2025-05-30 16:10:28
>>simonw+A4
I had luck using ALVM which users Apple Hypervisor framework while exploring linux micro-vm's in macos fwiw https://github.com/mathetake/alvm
replies(1): >>simonw+cr
◧◩
4. ericb+lp[view] [source] [discussion] 2025-05-30 18:14:17
>>simonw+A4
Working gVisor Mac install instructions here.

https://dev.to/rimelek/using-gvisors-container-runtime-in-do...

After this is done, it is:

docker run --rm --runtime=runsc hello-world

◧◩◪
5. simonw+cr[view] [source] [discussion] 2025-05-30 18:29:42
>>tough+i8
That looks really cool, but it's missing the one feature I want most from anything that runs a sandbox (or any security-related software): I need something which a billion dollar company with a professional security team is running in production on a daily basis.

So much of the solutions to this stuff I see come from a GitHub repo with a few dozen commits and often a README that says "do not rely on this software yet".

Definitely going to play with it a bit though, I love the idea of hooking into Apple's Hypervisor.framework (which absolutely fits my billion-dollar-company requirement.)

◧◩
6. mike_h+2H1[view] [source] [discussion] 2025-05-31 11:51:06
>>simonw+A4
If you use macOS then it has a great sandboxing system built in (albeit, undocumented). Anthropic are starting to experiment with using it in Claude Code to eliminate permission prompts. Claude can choose to run commands inside the sandbox, in which case they execute immediately.

I've thought about making one of these for other coding agents. It's not quite as trivial as it looks and I know how to do it, also on Windows, although it seems quite a few coding agents just pretend Windows doesn't exist unfortunately.

replies(1): >>simonw+tL1
◧◩◪
7. simonw+tL1[view] [source] [discussion] 2025-05-31 12:44:06
>>mike_h+2H1
The lack of documentation for that system is so frustrating! Security feature are the one thing where great documentation should be table stakes, otherwise we are left just wildly guessing how to keep our system secure!

I'm also disheartened by how the man pages for some of the macOS sandboxing commands have declared them deprecated for at least the last five years: https://7402.org/blog/2020/macos-sandboxing-of-folder.html

replies(1): >>mike_h+Vn2
◧◩◪◨
8. mike_h+Vn2[view] [source] [discussion] 2025-05-31 18:58:50
>>simonw+tL1
It's an internal system that exposes implementation details all over the place, so I understand why they do it that way. You have to know a staggering amount about the architecture of macOS to use it correctly. This isn't a reasonable expectation to have of developers, hence why the formal sandbox API is exposed via a set of permissions you request and the low level SBPL is for exceptions, sandboxing OS internals and various other special cases.

Is AI a special case? Maybe! I have some ideas about how to do AI sandboxing in a way that works more with the grain of macOS, though god knows when I'll find the time for it!

[go to top]