Bubblewrap seems excellent for Linux uses - on macOS, it seems like sandbox-exec could do some (all?) of what bubblewrap does on Linux. There's no official documentation for SBPL, but there are examples, and I found sandboxtron[0] which was a helpful base for writing a policy to try to contain npm

0: https://github.com/lynaghk/sandboxtron/tree/main

▲

simonw 3 days ago | parent [-]

sandbox-exec is so frustrating. It could be a genuinely excellent solution to a whole bunch of sandboxing problems, except...

1. Documentation is virtually nonexistent. I think that is inexcusable for a security tool!

2. The man page says that it's deprecated, and has done for around a decade. No news on when they will actually remove it, maybe they never will? Hard to recommend it with that axe hanging over it though.

▲

garblegarble 3 days ago | parent [-]

Absolutely agreed on the lack of documentation, it seems completely insane (I assume this is because they want to reinforce that only Apple should be writing policies - but still no excuse for it)

>Hard to recommend it with that axe hanging over it though.

Given the alternative being no way to limit untrusted tooling at all today, it seems worthwhile using it despite these problems?

There's also a (very slim) chance that if it became central to the security of developers on macOS that Apple would give slightly more consideration to it

▲

simonw 3 days ago | parent [-]

Yes definitely worth using it, but I don't know how much time I want to spend integrating it deeply into my own open source projects given its uncertain status.

	▲	garblegarble 3 days ago \| parent [-]
		Yeah I know what you mean... one positive is it looks like Google use it in Chromium[0], so at least Google think the API will stick around for a while (and provides a big platform Apple would break if they discontinued it) 0: https://chromium.googlesource.com/chromium/src/+/refs/heads/...