Comment by mike_hearn

Comment by mike_hearn 11 hours ago

8 replies

View on Hacker News

macOS already has a way to do that if you're a developer, but it's weirdly both obvious and non-obvious enough that people don't seem to use it: just compile a simple program that executes other programs, and then sign it with the officially supported sandbox entitlements. You will need a supervisor program that starts up the sandboxed sub-process and grants it access to the needed files via the official bookmarks API (that's what it's called):

https://developer.apple.com/documentation/security/accessing...

Now you're wondering why this isn't built in to the OS. But it is! Apps from the Mac App Store are always sandboxed. Just get your apps from there, and now you know what permissions they need because the store can tell you, as can the Settings app. You can even toggle permissions on and off via Settings.

macOS has the best sandbox of any desktop OS by far. Seatbelt isn't actually deprecated and never has been. Marking it as such seems to be just a way to warn developers off trying to use it directly. Nonetheless, it's not going anywhere: Chrome's sandbox relies on it heavily and if Apple tried to remove it or even just break backwards compatibility with it they'd break Chrome, and if not done in a coordinated manner that'd open up a lot of nasty lawsuit potential and corporate relationship problems.

The reason Apple don't want you using Seatbelt directly is that you have to be an expert in macOS internals to use it correctly ... and those internals change with every release. I reported a vulnerability to a well known company just a couple of weeks ago that involved them using Seatbelt wrong! Apple's entitlements wrap up a common set of use cases under a stable API and it's then on Apple to keep them working correctly as the internals move around.

simonw 6 hours ago

Thanks, I was wrong to say seatbelt had been deprecated, it's just sandbox-exec

This stuff is so frustrating though! If your sandboxing mechanism requires you to be "an expert in macOS internals" it's not going to get used often, and the people who DO use it are liable to make mistakes.

Clear documentation and a great developer experience are, in my opinion, essential for sandboxing mechanisms - and most of them don't have that.

Reply View 5 replies
  • mike_hearn 5 hours ago

    Apple do have those things! People just like bypassing it :) For the AI use case that you're interested in, there are ways to do this that go with Apple's flow, but UNIX hackers tend to be attracted to sandbox-exec because it looks simple even though it's not, and because doing it Apple's way requires learning a lot of Apple specific tech. Whereas the SBPL is deceptively UNIXy and simple looking.

    Reply View 4 replies
    • simonw 4 hours ago

      I am very motivated to solve this problem and I have been unable to solve it given Apple's current platform and documentation.

      Reply View 3 replies
      • mike_hearn 4 hours ago

        Hm, OK. Is there some reason that dev containers and running agents inside it won't work? I've been looking at AI sandboxing lately and can't quite decide if there's really a problem to solve here, or whether giving the agent a container regardless of platform is what makes the most sense. I guess it depends on whether you're developing apps that can run containerized - most devs do I imagine, but if you're writing mobile or desktop apps then a different strategy would be needed.

        Reply View 2 replies
bloomca 6 hours ago

Isn't MSIX packaged apps on Windows basically the same?

They will even list all the capabilities before installing, and I believe it can handle auto updates outside the MS Store as well.

But I think the main issue is that you can't give granular permissions. I would like to make my own sandbox rules, like only enable a single domain for networking for the app, only allow specific folders, etc.

I don't think you can get this granularity on macOS/Windows right now.

Reply View 1 reply
  • mike_hearn 5 hours ago

    Kernels don't understand TLS or HTTP level concepts and can't sandbox them indeed, it's a weakness for sure.

    MSIX is integrated with the (new) Win32 sandboxing mechanism, yes. You can activate an app container by requesting one in the manifest. But that only works on the very latest Win11 and you'll definitely encounter bugs.

    Reply View 0 replies