[akashakya]

For lightweight sandboxing on Linux you can use bubblewrap or firejail instead of Docker. They are faster and _simpler_. Here is a bwrap script I wrote to run Claude in a minimal sandbox an hour back:

    exec bwrap \
      --ro-bind /usr /usr \
      --ro-bind /etc /etc \
      --ro-bind /run /run \
      --ro-bind "$NODE_PATH" /node \
      --proc /proc \
      --dev /dev \
      --symlink usr/lib64 /lib64 \
      --tmpfs /tmp \
      --unshare-all \
      --share-net \
      --die-with-parent \
      --new-session \
      --bind "$HOME/claude" /claude \
      --bind "$HOME/.claude.json" /claude/.claude.json \
      --bind "$HOME/.claude" /claude/.claude \
      --setenv HOME /claude \
      --setenv PATH "/node:/claude/bin:/usr/bin" \
      --bind "$(pwd)" /work \
      --chdir /work \
      /claude/bin/claude "$@"

[simonw]

Nice, thanks for sharing. The lack of an equivalent on macOS (sandbox-exec is similar but mostly undocumented and described as "deprecated" by Apple) is really frustrating.

[DowsingSpoon]

I had been planning to explore Lima tonight as a mechanism to shackle CC on macOS.

The trouble with sandbox-exec is that it’s control over network access is not fine grain enough, and I found its file system controls insufficient.

Also, I recently had some bad experiences which lead me to believe the tool MUST be run with strict CPU and memory resource limits, which is tricky on macOS.

[big_toast]

Wait, does lima do isolation in a macos context too?

It looks like linux vms, which apple's container-cli (among others) covers at a basic level.

I'd like apple to start providing macOS images that weren't the whole OS.. unless sandbox-exec/libsandbox have affordance for something close enough?

You can basically ask claude/chatgpt to write its jail (dockerfile) and then run that via `container` without installing anything on macos outside the container it builds (IIRC). Even the container-cli will use a container to build your container..

[simonw]

Neat, I've not tried https://github.com/lima-vm/lima

[mike_hearn]

There is an equivalent. I played with it for a while before switching to containers. You can just sign an app with sandbox entitlements that starts a subshell and uses security bookmarks to expose folders to it. It's all fully supported by Apple.

[simonw]

I would love to be able to use sandbox entitlements for this. I have so far been unable to figure out how.

[xyzzy_plugh]

It's not equivalent. You can restrict access but expose select resources, but there's no bind mounting, no overlays, etc. etc.

It's a very far cry from bwrap.

[mike_hearn]

You don't need bind mounts, you can just pass access rights to directories into the sandbox directly. Also sandboxed apps run inside a (filesystem) container so file writes to $HOME are transparently redirected to a shadow home.

[xyzzy_plugh]

Respectfully, it's not enough. You can't treat the inside of the sandbox as a generic macOS system. You can't really install arbitrary things or run arbitrary programs. The wheels fall off extremely quickly.

[mike_hearn]

What issues did you hit?

The main issue I had is that most dev tools aren't sandbox compatible out of the box and it's Apple specific tech. You can add SBPL exceptions to make more stuff work but why bother. Containers/Linux VMs work everywhere.

[namnnumbr]

Would something like dagger.io work for sandboxing? I'm not sure on the security side of things, but I very much liked the presentation they did at the AI Engineering conference (San Fran, earlier this year) about how they can build branching containers to support branching or parallelized development workflows.

[simonw]

Yeah, that's definitely an option worth considering. Coincidentally I quoted Dagger founder Solomon Hykes in my article - the "An AI agent is an LLM wrecking its environment in a loop" line.

[theknarf]

While sandbox-exec is officially "deprecated" it will be around for a long time, so building some tooling on top of it to make it useful seems valuable!

[rufugee]

This is gold. Thanks so much for sharing. Being able to put claude in handcuffs and use --dangerously-skip-permissions without concern is a game changer!