“The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide”
I wonder how many major applications and tools depend on sandbox-exec today despite that depreciation, IIRC I can think of the Codex CLI and Swift Package Manager.
alias sandbox-no-network='sandbox-exec -p "(version 1)(allow default)(deny network*)"'
pro-tip on alias:
for sh-compliant shells, including a whitespace at the end of the alias string causes the next token to also go through alias expansion. (maybe it would also be a hint to the shell for tab completion as well). This is a perfect example of when, where, and why you would want to do that.
I went down the sandbox-exec rabbit hole recently trying to get a “safe shell” for poking at random GitHub projects. I eventually realized I was solving the wrong problem.
For development you usually don’t need a kernel policy language - you mostly want:
1. builds not trashing your real $HOME
2. no dotfiles/config pollution
3. some basic separation if a project does something dumb
A much simpler (and more reliable) alternative on macOS is just a dedicated throwaway user account. macOS already isolates home directories, keychains, and app state per-user, so you get a practical sandbox without fighting SBPL quirks or mysterious denials.
My workflow now: I have a user called rsh. I clone and build everything there. My real home directory stays clean. If a project goes crazy, it only damages /Users/rsh
It also avoids the “1000 hidden files in your home folder” problem that a lot of language ecosystems cause.
It weirds me out a bit that Claude is able to reach outside the sandbox during a session. According to the docs this is with user consent. I would feed better with a more rigid safety net, which is why I've been explicitly invoking claude with sandbox-exec.
See https://bdash.net.nz/posts/sandboxing-on-macos/ for more details on how sandboxing works on macOS. It touches on how the SBPL Scheme source code is interpreted in userspace to build a bytcode representation of the policy, and the kernel MAC hooks that the Sandbox kernel extension uses for enforcing sandbox policies.
I’m impressed really neat work! Why did you opt for closed source?
edit: I don’t have a problem with closed source, but when software is expected to be accountable for my security I get a little paranoid, so was curious about the safety and guarantees here. The UX and everything else looks great
I like this! I built something similar for sandboxing CLI agents, and in the repo have a collection of minimal profiles for sandbox-exec to use - https://agent-safehouse.dev/
It drives me nuts that sandbox-exec has "sandbox" in the name, since it's nothing like a real sandbox, and much closer to something like a high-level seccomp, and not much to do with "App Sandboxes" which is a distinct macOS feature.
IMO a real sandbox let's a program act how it wishes without impacting anything outside the sandbox. In reality many of these tools just cause hard failures when attempting to cross the defined boundaries.
It's also poorly documented and IIRC deprecated. I don't know what is supposed to replace it.
If macOS simply had overlay mounts in a sandbox then it would unlock so much. Compared to Linux containers (docker, systemd, bubblewrap, even unshare) macOS is a joke.
> not much to do with "App Sandboxes" which is a distinct macOS feature
The App Sandbox is literally Seatbelt + Cocoa "containers". secinitd translates App Sandbox entitlements into a Seatbelt profile and that is then transferred back to your process via XPC and applied by an libsystem_secinit initializer early in the process initialization, shortly before main(). This is why App Sandbox programs will crash with `forbidden-sandbox-reinit` in libsystem_secinit if you run them under sandbox-exec. macOS does no OS-level virtualization.
What you're describing is a resource virtualization with transactional reconciliation instead of program isolation in the mediation sense (MAC/seccomp-style denial).
To let a program act as it wishes, ideally every security-relevant mutable resource must be virtualized instead of filtered. Plus, FS is only one of the things that should be sandboxed. You should also ideally virtualize network state at least, but ideally also process/IPC namespaces and other such systems to prevent leaks.
You need to offer a promotion step after the sandbox is over (or even during running if it's a long-running program) exposing all sandbox's state delta for you to decide selective reconciliation with the host. And you also must account for host-side drift and TOCTOU hazards during validation and application
I'm experimenting with implementing such a sandbox that works cross-system (so no kernel-level namespace primitives) and the amount necessary for late-bound policy injection, if you want user comfort, on top of policy design and synthetic environment presented to the program is hair-pulling.
> If macOS simply had overlay mounts in a sandbox then it would unlock so much. Compared to Linux containers (docker, systemd, bubblewrap, even unshare) macOS is a joke.
You'll want to look into Homebrew (or Macports) for access to the larger world
I'd add one warning for folks who haven't used it before: a tiny typo in the profile can turn into confusing runtime failures later, far away from the command that triggered them. The tool is useful, but the feedback loop is rough.
You can tell MacOS was developed by OS nerds but stifled by product managers. There are a lot of gems like Sandboxing and Hyperkit with incredible features and practically no user interface.
Why is not spending resources to develop infrequently-used features that aren't revenue streams "stifling"? Granted, I too would love to have nice UIs for those out of the box, but > 99.9% of Mac users don't care, and 3rd-party developers can pick up the slack and maybe make some money filling the gap.
Do any of the third-party package managers (Brew, MacPorts) perhaps use this for things like builds (or even installs, if things are restricted to (e.g.) /opt)?
I’ve written a personal system in Common Lisp for building third-party software on macOS (coincidentally somewhat similar to GUIX), and I use sandbox-exec to isolate execution so that only intended requisites affect the build process and so that installation is strictly confined to the configured destination directory, no scribbling outside the lines.
I am not sure using sandbox-exec is a good security architecture for AI agents. It sure is convenient and available to everyone right now. I've made another comment elsewhere in this discussion about what I think "deprecated" means - it is a sharp tool that could break if not tracking everything that changes, including every change in a SW update. It is also easy to get wrong if there is not a "(default deny)" in the profile. An agent could escape if they can find a mach service or some other system call coordinated proxy service. Java, Silverlight and Flash had backdoor communication mechanisms with other instances of themselves that could be abused.
"If" indeed. Apple has a trillion-dollar AI market staring themselves in the face, and they can't even find it in them to sign CUDA drivers for their own good.
The features you're describing would not buy them credibility in the AI field anyhow. They would certainly plaster over some of macOS and iOS' more embarrassing limitations, but professional AI deployments are not hamstrung by those limits. It's just the commodity homelabbers who want to brag about buying a 120gb GPU with anemic compute performance. Apple doesn't need to curry favor with those people, they'd buy the hardware for the luls regardless of what the software experience is like.
Technically, it’s not just Scheme-like but literally a Scheme interpreter (TinyScheme). However, the Scheme isn’t being executed to make individual sandboxing decisions. It’s just executed once while parsing the config, to build up a binary sandbox definition which is what the kernel ultimately uses to make decisions (using a much more limited-purpose, non-Turing-complete execution engine).
I believe GUIX is implemented in Scheme which makes Scheme a natural choice for expressing configuration. Lisp tend to be a natural configuration format for anything written in Lisp. Highly functional configuration processing comes practically for free.
Although macOS do provide many little known useful tools (besides this, there’s also dtrace, pf, etc), I still run a Linux VM in my MacBook for daily work. Thing is, the effort I spend on learning these tools is almost wasteful unless I’m doing iOS or macOS development. Skills about Linux tools however, is something people considered valuable because of its wider application. I think apple is missing opportunities by not doing more about macOS Server platform.
Someone|9 days ago
“The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide”
That still is the case for MacOS 26.3 (https://man.freebsd.org/cgi/man.cgi?query=sandbox-exec&aprop...)
MacOS 10.13.6 is from 2017, so this has been deprecated for almost 10 years.
MillionOClock|9 days ago
cpach|9 days ago
extra88|9 days ago
raphaelmolly8|9 days ago
[deleted]
ksherlock|9 days ago
for sh-compliant shells, including a whitespace at the end of the alias string causes the next token to also go through alias expansion. (maybe it would also be a hint to the shell for tab completion as well). This is a perfect example of when, where, and why you would want to do that.
innagadadavida|9 days ago
For development you usually don’t need a kernel policy language - you mostly want: 1. builds not trashing your real $HOME 2. no dotfiles/config pollution 3. some basic separation if a project does something dumb
A much simpler (and more reliable) alternative on macOS is just a dedicated throwaway user account. macOS already isolates home directories, keychains, and app state per-user, so you get a practical sandbox without fighting SBPL quirks or mysterious denials.
My workflow now: I have a user called rsh. I clone and build everything there. My real home directory stays clean. If a project goes crazy, it only damages /Users/rsh
It also avoids the “1000 hidden files in your home folder” problem that a lot of language ecosystems cause.
Minimal setup :
sudo sysadminctl -addUser rsh -password $(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 16); sudo dseditgroup -o edit -d rsh -t user admin || true; sudo install -d -m 755 -o rsh -g staff /Users/rsh/projects
Then add this alias to your ~/.zshrc command:
alias rsh='sudo -iu rsh /bin/zsh -l'
After that I just run rsh, clone repos into ~/projects, and build there.
viraptor|9 days ago
Cloning them there means leaving access to your SSH keys, right?
ImJasonH|9 days ago
- https://developers.openai.com/codex/security/#os-level-sandb...
- https://code.claude.com/docs/en/sandboxing
bootlooped|9 days ago
bdash|9 days ago
davidcann|9 days ago
hmokiguess|9 days ago
edit: I don’t have a problem with closed source, but when software is expected to be accountable for my security I get a little paranoid, so was curious about the safety and guarantees here. The UX and everything else looks great
e1g|9 days ago
Tiberium|9 days ago
ithkuil|9 days ago
kilroy123|9 days ago
xyzzy_plugh|9 days ago
IMO a real sandbox let's a program act how it wishes without impacting anything outside the sandbox. In reality many of these tools just cause hard failures when attempting to cross the defined boundaries.
It's also poorly documented and IIRC deprecated. I don't know what is supposed to replace it.
If macOS simply had overlay mounts in a sandbox then it would unlock so much. Compared to Linux containers (docker, systemd, bubblewrap, even unshare) macOS is a joke.
m132|9 days ago
The App Sandbox is literally Seatbelt + Cocoa "containers". secinitd translates App Sandbox entitlements into a Seatbelt profile and that is then transferred back to your process via XPC and applied by an libsystem_secinit initializer early in the process initialization, shortly before main(). This is why App Sandbox programs will crash with `forbidden-sandbox-reinit` in libsystem_secinit if you run them under sandbox-exec. macOS does no OS-level virtualization.
gobdovan|9 days ago
To let a program act as it wishes, ideally every security-relevant mutable resource must be virtualized instead of filtered. Plus, FS is only one of the things that should be sandboxed. You should also ideally virtualize network state at least, but ideally also process/IPC namespaces and other such systems to prevent leaks.
You need to offer a promotion step after the sandbox is over (or even during running if it's a long-running program) exposing all sandbox's state delta for you to decide selective reconciliation with the host. And you also must account for host-side drift and TOCTOU hazards during validation and application
I'm experimenting with implementing such a sandbox that works cross-system (so no kernel-level namespace primitives) and the amount necessary for late-bound policy injection, if you want user comfort, on top of policy design and synthetic environment presented to the program is hair-pulling.
simonw|9 days ago
- controls which files the process can read and write
- controls what network access the process is allowed
_wire_|9 days ago
You'll want to look into Homebrew (or Macports) for access to the larger world
lyaocean|9 days ago
CGamesPlay|9 days ago
Readers may also be interested in <https://github.com/eugene1g/agent-safehouse> which was open sourced after a recent HN conversation <https://news.ycombinator.com/item?id=46923436>.
cjbarber|9 days ago
https://github.com/obra/packnplay
https://github.com/strongdm/leash
https://github.com/lynaghk/vibe
(I've been collecting different tools for sandboxing coding agents)
cjbarber|9 days ago
https://github.com/eugene1g/agent-safehouse via CGamesPlay
https://multitui.com/ via davidcann
jpeeler|9 days ago
- https://github.com/jingkaihe/matchlock
- https://github.com/mishushakov/libkrun-go
- https://github.com/earendil-works/gondolin
- https://github.com/butter-dot-dev/bvisor
- https://github.com/amlalabs/amla-sandbox
- https://github.com/eryx-org/eryx
- https://github.com/containers/bubblewrap (not new)
- https://github.com/coplane/localsandbox
- https://github.com/sd2k/conch
- https://github.com/Gerharddc/litterbox
- https://github.com/finbarr/yolobox
- https://github.com/coventry/sandbox-codex
- https://github.com/osks/ctenv
- https://github.com/tianon/gosu
- https://github.com/colony-2/shai
- https://github.com/rcarmo/agentbox
- https://github.com/coder/httpjail
- https://github.com/bytecodealliance/componentize-py
- https://github.com/tursodatabase/agentfs
- https://github.com/always-further/nono
- (another list on HN Deno Sandbox: https://news.ycombinator.com/item?id=46876022)
- Did not check if any/all of these are here: https://github.com/arjan/awesome-agent-sandboxes
tonymet|9 days ago
otterley|9 days ago
throw0101c|9 days ago
woodruffw|9 days ago
cwicklein|9 days ago
I think Bazel uses sandbox-exec on macOS.
pingiun|9 days ago
simonw|9 days ago
- Announce that they are no longer going to deprecate sandbox-exec and instead publish detailed documentation for it
- Add a reliable "select all" option to the iOS copy/paste menu
VogonPoetry|8 days ago
bigyabai|8 days ago
The features you're describing would not buy them credibility in the AI field anyhow. They would certainly plaster over some of macOS and iOS' more embarrassing limitations, but professional AI deployments are not hamstrung by those limits. It's just the commodity homelabbers who want to brag about buying a 120gb GPU with anemic compute performance. Apple doesn't need to curry favor with those people, they'd buy the hardware for the luls regardless of what the software experience is like.
viraptor|9 days ago
huflungdung|9 days ago
[deleted]
parentheses|9 days ago
You can spoof or disappear a mashed file. You can trigger vulnerabilities by breaking internal assumptions of a program.
whalesalad|9 days ago
Wow this is cool
unknown|9 days ago
[deleted]
chmaynard|9 days ago
https://developer.apple.com/documentation/security
chaostheory|9 days ago
selridge|9 days ago
LowLevelKernel|8 days ago
kermatt|9 days ago
comex|9 days ago
cwicklein|9 days ago
epistasis|9 days ago
Writing a parser for Lisp S-expressions is dead-simple, I wonder if that's why they used the format.
sciencesama|8 days ago
mixtureoftakes|9 days ago
who looks at it and goes "yes, ill upvote this. more people should see it."?
selridge|9 days ago
kyralis|9 days ago
ghostclaw-cso|9 days ago
[deleted]
unknown|9 days ago
[deleted]
blahgeek|9 days ago