Hacker News new | ask | show | jobs
by woodruffw 439 days ago
macOS provides native sandboxing; you can use capabilities at the app level[1] or the sandbox-exec CLI to wrap an existing tool.

For Windows, you probably want WSB[2] or AppContainer isolation[3].

For Linux, the low-level primitives for sandboxing are seccomp and namespaces. You can use tools like Firejail and bubblewrap to wrap individual tool invocations, similar to sandbox-exec on macOS.

[1]: https://developer.apple.com/documentation/xcode/configuring-...

[2]: https://learn.microsoft.com/en-us/windows/security/applicati...

[3]: https://learn.microsoft.com/en-us/windows/win32/secauthz/app...
1 comments
amarshall 439 days ago
Linux also has Landlock now.

macOS sandboxing is notoriously under-documented, has sharp edges, and is nowhere near as expressive as Linux sandboxing.

link
anonzzzies 439 days ago
To save a search; https://docs.kernel.org/userspace-api/landlock.html
link
woodruffw 439 days ago
Thanks! Landlock is the one I couldn't remember.

Agreed about macOS's sandboxing being under-documented.

link