Comment by simonw

Comment by simonw 6 months ago

21 replies

View on Hacker News

The situation on macOS is so frustrating. sandbox-exec / seatbelt has been marked as deprecated for nearly a decade now (since macOS Sierra in 2016) but it's still what everyone uses - here's OpenAI using it for their new Codex CLI: https://github.com/openai/codex/issues/215

Maybe the new "containers" stuff in macOS 26 is going to be a good replacement for that? It seems like that's a different solution though.

All I want is an easy, documented, supported way to run a binary on my computer and say "it can only access these files, use this much RAM and it's not allowed to make any outbound network requests". It always surprises me how hard this is!

zzo38computer 6 months ago

> All I want is an easy, documented, supported way to run a binary on my computer and say "it can only access these files, use this much RAM and it's not allowed to make any outbound network requests". It always surprises me how hard this is!

I think that if the operating system (and the computer design too) were designed better, then I think that it might be possible to do that, and other things (e.g. all outbound network requests must go through a specified proxy without the program knowing of the proxy, or must use a specific network interface, etc).

Reply View 0 replies
duskwuff 6 months ago

> Maybe the new "containers" stuff in macOS 26 is going to be a good replacement for that?

It is not. The Containerization framework [1] is, in its own words, "a Swift package for running Linux containers on macOS" - it's more or less an Apple-branded Docker runtime. It's not applicable to macOS software.

[1]: https://github.com/apple/containerization

Reply View 1 reply
  • [removed] 6 months ago
    [deleted]
    Reply View 0 replies
mike_hearn 6 months ago

macOS already has a way to do that if you're a developer, but it's weirdly both obvious and non-obvious enough that people don't seem to use it: just compile a simple program that executes other programs, and then sign it with the officially supported sandbox entitlements. You will need a supervisor program that starts up the sandboxed sub-process and grants it access to the needed files via the official bookmarks API (that's what it's called):

https://developer.apple.com/documentation/security/accessing...

Now you're wondering why this isn't built in to the OS. But it is! Apps from the Mac App Store are always sandboxed. Just get your apps from there, and now you know what permissions they need because the store can tell you, as can the Settings app. You can even toggle permissions on and off via Settings.

macOS has the best sandbox of any desktop OS by far. Seatbelt isn't actually deprecated and never has been. Marking it as such seems to be just a way to warn developers off trying to use it directly. Nonetheless, it's not going anywhere: Chrome's sandbox relies on it heavily and if Apple tried to remove it or even just break backwards compatibility with it they'd break Chrome, and if not done in a coordinated manner that'd open up a lot of nasty lawsuit potential and corporate relationship problems.

The reason Apple don't want you using Seatbelt directly is that you have to be an expert in macOS internals to use it correctly ... and those internals change with every release. I reported a vulnerability to a well known company just a couple of weeks ago that involved them using Seatbelt wrong! Apple's entitlements wrap up a common set of use cases under a stable API and it's then on Apple to keep them working correctly as the internals move around.

Reply View 8 replies
  • simonw 6 months ago

    Thanks, I was wrong to say seatbelt had been deprecated, it's just sandbox-exec

    This stuff is so frustrating though! If your sandboxing mechanism requires you to be "an expert in macOS internals" it's not going to get used often, and the people who DO use it are liable to make mistakes.

    Clear documentation and a great developer experience are, in my opinion, essential for sandboxing mechanisms - and most of them don't have that.

    Reply View 5 replies
    • mike_hearn 6 months ago

      Apple do have those things! People just like bypassing it :) For the AI use case that you're interested in, there are ways to do this that go with Apple's flow, but UNIX hackers tend to be attracted to sandbox-exec because it looks simple even though it's not, and because doing it Apple's way requires learning a lot of Apple specific tech. Whereas the SBPL is deceptively UNIXy and simple looking.

      Reply View 4 replies
      • simonw 6 months ago

        I am very motivated to solve this problem and I have been unable to solve it given Apple's current platform and documentation.

        Reply View 3 replies
  • bloomca 6 months ago

    Isn't MSIX packaged apps on Windows basically the same?

    They will even list all the capabilities before installing, and I believe it can handle auto updates outside the MS Store as well.

    But I think the main issue is that you can't give granular permissions. I would like to make my own sandbox rules, like only enable a single domain for networking for the app, only allow specific folders, etc.

    I don't think you can get this granularity on macOS/Windows right now.

    Reply View 1 reply
    • mike_hearn 6 months ago

      Kernels don't understand TLS or HTTP level concepts and can't sandbox them indeed, it's a weakness for sure.

      MSIX is integrated with the (new) Win32 sandboxing mechanism, yes. You can activate an app container by requesting one in the manifest. But that only works on the very latest Win11 and you'll definitely encounter bugs.

      Reply View 0 replies
bdash 6 months ago

It mostly seems to be deprecated to encourage developers to use App Sandbox rather than doing custom sandboxing things. With custom sandboxing baking implementation details of system frameworks into the sandbox policy is almost unavoidable, and Apple would really rather you didn't do that as it limits their ability to make changes in the future.

The underlying sandbox subsystem is what App Sandbox uses. Apple can happily rely on implementation details of system frameworks in their policies because they can update them as the system frameworks change.

The sandbox subsystem is what all of Apple's system software uses for sandboxing, as well as many security-conscious third-party programs such as web browsers. It's not going anywhere anytime soon, despite being marked as deprecated.

Reply View 0 replies
Jyaif 6 months ago

You want a capability based OS where by default processes are sandboxed.

Reply View 3 replies
throwaway290 6 months ago

I use Docker for this. Sandbox is not effective. Like if you run Firefox with "deny network" profile you will still be able to browse as usual.

Reply View 1 reply
  • jbverschoor 6 months ago

    same.. I use https://github.com/jrz/container-shell to start a fresh debian+tools image under the current directory, yet still allows me to easily open multiple terminals to the same instance.

      shell my:sandbox
    I also use sandbox-exec with limitations to the pwd, depending on what I want to exec.
    Reply View 0 replies
tux3 6 months ago

The ideal for me would be Asahi support from Apple, but the software support on their hardware is so far behind the hardware itself (which is amazing).

Reply View 0 replies
paulddraper 6 months ago

Agreed, macOS has lagged every other OS here.

The easiest solution is to give up and use Linux (Docker).

Reply View 0 replies