| ▲ | akazantsev 5 hours ago | ||||||||||||||||||||||||||||||||||
That's because sandboxing is quite hard. I use `cco`, but even then, the home folder is exposed. You are one prompt away from the agent sending the browser passwords with curl. To prevent this, you need a fake home and a networking whitelist for the agent to access the provider (llama cpp, OpenAI, etc.) There is no cross-platform solution that is easy to use for this. And no, a Linux box with Docker won't do. I develop a cross-platform native app and want the agent to compile and fix the platform-specific errors. | |||||||||||||||||||||||||||||||||||
| ▲ | kstenerud 35 minutes ago | parent | next [-] | ||||||||||||||||||||||||||||||||||
Sandboxing is a VERY HARD problem. I've been working on it for months, and finally have something that's mostly there: - Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker - Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators). - Network control - Secrets control (file mounts or credentials broker) - NO ambient data (ENV is replaced with a minimal and local-to-sandbox one) - NO access to your homedir. You have to explicitly mount things you want. - NO direct access to your workdir: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs sandbox side in case the repo has filters. - Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want. - Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal. - Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy - MCP passthrough - Layered API (golang) if you want to sandbox other things - Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere. - FOSS | |||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||
| ▲ | lionkor 4 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||
I use sandbox-here for this reason, it's a wrapper around bubblewrap, which works quite well. Copy the code and adjust it to your liking: https://github.com/lionkor/sbh I have a shell alias for it, and use it like
for example or
and maybe add --docker if I expect it to do docker things.This kind of wrapper is much easier to handle and maintain than a completely separate tool for sandboxing agents. | |||||||||||||||||||||||||||||||||||
| ▲ | squidsoup 4 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||
> That's because sandboxing is quite hard colima makes it pretty easy, on macOS and linux at any rate. | |||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||
| ▲ | dpacmittal 3 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||
Use multipass by canonical. Works on macOS, windows, Linux. | |||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||