macOS provides native sandboxing; you can use capabilities at the app level[1] o... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

woodruffw 73 days ago | parent | context | favorite | on: Show HN: I built a Rust crate for running unsafe c...

macOS provides native sandboxing; you can use capabilities at the app level[1] or the sandbox-exec CLI to wrap an existing tool.

For Windows, you probably want WSB[2] or AppContainer isolation[3].

For Linux, the low-level primitives for sandboxing are seccomp and namespaces. You can use tools like Firejail and bubblewrap to wrap individual tool invocations, similar to sandbox-exec on macOS.

[1]: https://developer.apple.com/documentation/xcode/configuring-...

[2]: https://learn.microsoft.com/en-us/windows/security/applicati...

[3]: https://learn.microsoft.com/en-us/windows/win32/secauthz/app...

amarshall 73 days ago [–]

Linux also has Landlock now.

macOS sandboxing is notoriously under-documented, has sharp edges, and is nowhere near as expressive as Linux sandboxing.

anonzzzies 73 days ago | | [–]

To save a search; https://docs.kernel.org/userspace-api/landlock.html

woodruffw 73 days ago | | [–]

Thanks! Landlock is the one I couldn't remember.

Agreed about macOS's sandboxing being under-documented.

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact