By default it runs in docker, and also includes an extra sophisticated macOS-native --darwin mode which goes beyond the capabilities and guarantees of the likes of sandbox-exe, bubblewrap, and in some ways docker. Leash provides visibility into and control over every command and network request attempted by the coder agent. Would appreciate any feedback, and will try to get in touch with the author (Gordon).
Now I'll definitely look into automatically supporting pass-through auth for at least gh cli in Leash - always looking for what folks will find useful.
corv•1h ago
Interesting! The sandboxing space definitely deserves more attention.
On the other side of the spectrum, we're working on a lightweight approach that augments user namespaces with libseccomp to filter syscalls via BPF.
jaytaylor•2h ago
At my company (StrongDM) we recently open-sourced a tool in this space called Leash: https://github.com/strongdm/leash
By default it runs in docker, and also includes an extra sophisticated macOS-native --darwin mode which goes beyond the capabilities and guarantees of the likes of sandbox-exe, bubblewrap, and in some ways docker. Leash provides visibility into and control over every command and network request attempted by the coder agent. Would appreciate any feedback, and will try to get in touch with the author (Gordon).
Now I'll definitely look into automatically supporting pass-through auth for at least gh cli in Leash - always looking for what folks will find useful.
corv•1h ago
On the other side of the spectrum, we're working on a lightweight approach that augments user namespaces with libseccomp to filter syscalls via BPF.
https://github.com/corv89/shannot