top | item 45430049

(no title)

I had been planning to explore Lima tonight as a mechanism to shackle CC on macOS.

The trouble with sandbox-exec is that it’s control over network access is not fine grain enough, and I found its file system controls insufficient.

Also, I recently had some bad experiences which lead me to believe the tool MUST be run with strict CPU and memory resource limits, which is tricky on macOS.

discuss

big_toast|5 months ago

Wait, does lima do isolation in a macos context too?

It looks like linux vms, which apple's container-cli (among others) covers at a basic level.

I'd like apple to start providing macOS images that weren't the whole OS.. unless sandbox-exec/libsandbox have affordance for something close enough?

You can basically ask claude/chatgpt to write its jail (dockerfile) and then run that via `container` without installing anything on macos outside the container it builds (IIRC). Even the container-cli will use a container to build your container..

simonw|5 months ago

Neat, I've not tried https://github.com/lima-vm/lima