Comment by bigwheels

Comment by bigwheels 6 hours ago

4 replies

View on Hacker News

I use Leash [1] [2] for sandboxing my agents (to great effect!). I've been very happy with it, it provides strict policy-level control for all process-level + network-level activity, as well as full visibility and dynamic runtime controls via WebUI. Way better than bubblewrap imo.

I originally saw it here on HN and have been hooked ever since.

[1] Screenshot: https://camo.githubusercontent.com/99b9e199ffb820c27c4e977f2...

[2] https://github.com/strongdm/leash

Fun fact: Do you know what container / sandboxing system is in most widespread use? Not docker containers, certainly not bubblewrap, and not even full VMs or firecracker. It's Chrome tabs.

necovek 4 hours ago

That's interesting, how does Chrome implement "sandboxing" in Windows and MacOS? For Linux, does it use the same underlying technology as Docker, Podman, LXD, LXC (cgroups, namespaces...)?

Or is a custom "sandboxing" implementation not relying on system level functions (eg. a VM with restricted functions)?

If the latter, I wonder if something like JRE or .NET CLR is still out there in larger numbers, but obviously, Chrome does have billions of users.

Reply View 1 reply
observationist 6 hours ago

Using Chrome for anything seems like a security failure of itself. It's got great features, but damn do they come at a cost.

Reply View 0 replies
JCattheATM 2 hours ago

> certainly not bubblewrap,

Eh, it might be bubblewrap given it's what flatpak uses.

Reply View 0 replies