Nice, thanks for sharing. The lack of an equivalent on macOS (sandbox-exec is similar but mostly undocumented and described as "deprecated" by Apple) is really frustrating.

I had been planning to explore Lima tonight as a mechanism to shackle CC on macOS.

The trouble with sandbox-exec is that it’s control over network access is not fine grain enough, and I found its file system controls insufficient.

Also, I recently had some bad experiences which lead me to believe the tool MUST be run with strict CPU and memory resource limits, which is tricky on macOS.

Wait, does lima do isolation in a macos context too?

It looks like linux vms, which apple's container-cli (among others) covers at a basic level.

I'd like apple to start providing macOS images that weren't the whole OS.. unless sandbox-exec/libsandbox have affordance for something close enough?

You can basically ask claude/chatgpt to write its jail (dockerfile) and then run that via `container` without installing anything on macos outside the container it builds (IIRC). Even the container-cli will use a container to build your container..

Neat, I've not tried https://github.com/lima-vm/lima

There is an equivalent. I played with it for a while before switching to containers. You can just sign an app with sandbox entitlements that starts a subshell and uses security bookmarks to expose folders to it. It's all fully supported by Apple.

I would love to be able to use sandbox entitlements for this. I have so far been unable to figure out how.

It's not equivalent. You can restrict access but expose select resources, but there's no bind mounting, no overlays, etc. etc.

It's a very far cry from bwrap.

You don't need bind mounts, you can just pass access rights to directories into the sandbox directly. Also sandboxed apps run inside a (filesystem) container so file writes to $HOME are transparently redirected to a shadow home.

Respectfully, it's not enough. You can't treat the inside of the sandbox as a generic macOS system. You can't really install arbitrary things or run arbitrary programs. The wheels fall off extremely quickly.

That's true which is why I abandoned that approach, but the original comparison was against Bubblewrap which has the same issues (yes with enough overlays you can make a semi-writable system into which you can install things but you can tunnel brew outside the sandbox also).

Bubblewrap does not really have these issues at all. It's pretty much full containerization.

What issues did you hit?

The main issue I had is that most dev tools aren't sandbox compatible out of the box and it's Apple specific tech. You can add SBPL exceptions to make more stuff work but why bother. Containers/Linux VMs work everywhere.

Would something like dagger.io work for sandboxing? I'm not sure on the security side of things, but I very much liked the presentation they did at the AI Engineering conference (San Fran, earlier this year) about how they can build branching containers to support branching or parallelized development workflows.

Yeah, that's definitely an option worth considering. Coincidentally I quoted Dagger founder Solomon Hykes in my article - the "An AI agent is an LLM wrecking its environment in a loop" line.

While sandbox-exec is officially "deprecated" it will be around for a long time, so building some tooling on top of it to make it useful seems valuable!

This is gold. Thanks so much for sharing. Being able to put claude in handcuffs and use --dangerously-skip-permissions without concern is a game changer!