feat(kernels): use sandbox-exec for sandboxing kernels on MacOS
#2119
Assignees
Labels
type: feature
Proposes a new feature
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
See #2117 and #2118 for background. Some notes on
sandbox-exec:It is marked as deprecated and "Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide". However, AFAICT the App Sandbox requires us to be able to modify the binary being run. Various comments suggest that although it is deprecated that it isn't going to go away soon because it is used internally by MacOS a lot, including for App Sandbox (?).
https://www.karltarvas.com/macos-app-sandboxing-via-sandbox-exec.html
https://jmmv.dev/2019/11/macos-sandbox-exec.html
https://stackoverflow.com/questions/56703697/how-to-sandbox-third-party-applications-when-sandbox-exec-is-deprecated-now
Given that configs for
nsjailare much more widely available, it seems like that it would be better to establish those first and then port them over tosandbox-exec's Scheme based config files.The text was updated successfully, but these errors were encountered: