frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

macOS's Little-Known Command-Line Sandboxing Tool (2025)

https://igorstechnoclub.com/sandbox-exec/
97•Igor_Wiwi•2h ago

Comments

CGamesPlay•2h ago
Thanks for putting this together, it's very helpful.

Readers may also be interested in <https://github.com/eugene1g/agent-safehouse> which was open sourced after a recent HN conversation <https://news.ycombinator.com/item?id=46923436>.

chmaynard•2h ago
Nice write-up! This is one component of a much larger umbrella framework for security on Apple platforms:

https://developer.apple.com/documentation/security

davidcann•1h ago
I made a UI for this to run terminal apps, like claude and codex: https://multitui.com
e1g•1h ago
I like this! I built something similar for sandboxing CLI agents, and in the repo have a collection of minimal profiles for sandbox-exec to use - https://agent-safehouse.dev/
hmokiguess•1h ago
I’m impressed really neat work! Why did you opt for closed source?

edit: I don’t have a problem with closed source, but when software is expected to be accountable for my security I get a little paranoid, so was curious about the safety and guarantees here. The UX and everything else looks great

kilroy123•1h ago
Wow, this looks very nice.
Tiberium•1h ago
Codex already uses sandbox-exec on macOS :)
ithkuil•49m ago
Which terminal do you embed?
throw0101c•1h ago
Do any of the third-party package managers (Brew, MacPorts) perhaps use this for things like builds (or even installs, if things are restricted to (e.g.) /opt)?
cwicklein•1h ago
I’ve written a personal system in Common Lisp for building third-party software on macOS (coincidentally somewhat similar to GUIX), and I use sandbox-exec to isolate execution so that only intended requisites affect the build process and so that installation is strictly confined to the configured destination directory, no scribbling outside the lines.

I think Bazel uses sandbox-exec on macOS.

woodruffw•21m ago
Homebrew uses sandbox-exec during builds and installs, yeah. To my memory we’ve used it for at least 6 or 7 years, probably longer.
Someone•1h ago
https://man.freebsd.org/cgi/man.cgi?query=sandbox-exec&aprop...:

“The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide”

That still is the case for MacOS 26.3 (https://man.freebsd.org/cgi/man.cgi?query=sandbox-exec&aprop...)

MacOS 10.13.6 is from 2017, so this has been deprecated for almost 10 years.

MillionOClock•51m ago
I wonder how many major applications and tools depend on sandbox-exec today despite that depreciation, IIRC I can think of the Codex CLI and Swift Package Manager.
selridge•40m ago
Claude, Firefox, safari, chrome, etc etc etc etc

Basically everyone who has to care about security on the Mac.

cpach•13m ago
Does anyone have any details regarding the deprecation? I wonder why Apple made this decision.
TingPing•4m ago
I don’t know if there are problems with this tool, but the App Sandbox is very configurable and every app store app is in one. It doesn’t make sense to maintain two different complex sandboxing solutions.
kermatt•1h ago
Interesting config used a Scheme-like format. Any ideas on how that came to be?
cwicklein•1h ago
I believe GUIX is implemented in Scheme which makes Scheme a natural choice for expressing configuration. Lisp tend to be a natural configuration format for anything written in Lisp. Highly functional configuration processing comes practically for free.
epistasis•1h ago
I was given trauma from my decades of ELisp configuration for emacs...

Writing a parser for Lisp S-expressions is dead-simple, I wonder if that's why they used the format.

comex•7m ago
Technically, it’s not just Scheme-like but literally a Scheme interpreter (TinyScheme). However, the Scheme isn’t being executed to make individual sandboxing decisions. It’s just executed once while parsing the config, to build up a binary sandbox definition which is what the kernel ultimately uses to make decisions (using a much more limited-purpose, non-Turing-complete execution engine).
ImJasonH•1h ago
Both Claude Code and Codex use sandbox-exec with Seatbelt to sandbox execution:

- https://developers.openai.com/codex/security/#os-level-sandb...

- https://code.claude.com/docs/en/sandboxing

bootlooped•49m ago
It weirds me out a bit that Claude is able to reach outside the sandbox during a session. According to the docs this is with user consent. I would feed better with a more rigid safety net, which is why I've been explicitly invoking claude with sandbox-exec.
xyzzy_plugh•1h ago
It drives me nuts that sandbox-exec has "sandbox" in the name, since it's nothing like a real sandbox, and much closer to something like a high-level seccomp, and not much to do with "App Sandboxes" which is a distinct macOS feature.

IMO a real sandbox let's a program act how it wishes without impacting anything outside the sandbox. In reality many of these tools just cause hard failures when attempting to cross the defined boundaries.

It's also poorly documented and IIRC deprecated. I don't know what is supposed to replace it.

If macOS simply had overlay mounts in a sandbox then it would unlock so much. Compared to Linux containers (docker, systemd, bubblewrap, even unshare) macOS is a joke.

_wire_•1h ago
> If macOS simply had overlay mounts in a sandbox then it would unlock so much. Compared to Linux containers (docker, systemd, bubblewrap, even unshare) macOS is a joke.

You'll want to look into Homebrew (or Macports) for access to the larger world

gobdovan•33m ago
What you're describing is a resource virtualization with transactional reconciliation instead of program isolation in the mediation sense (MAC/seccomp-style denial).

To let a program act as it wishes, ideally every security-relevant mutable resource must be virtualized instead of filtered. Plus, FS is only one of the things that should be sandboxed. You should also ideally virtualize network state at least, but ideally also process/IPC namespaces and other such systems to prevent leaks.

You need to offer a promotion step after the sandbox is over (or even during running if it's a long-running program) exposing all sandbox's state delta for you to decide selective reconciliation with the host. And you also must account for host-side drift and TOCTOU hazards during validation and application

I'm experimenting with implementing such a sandbox that works cross-system (so no kernel-level namespace primitives) and the amount necessary for late-bound policy injection, if you want user comfort, on top of policy design and synthetic environment presented to the program is hair-pulling.

lyaocean•1h ago
I'd add one warning for folks who haven't used it before: a tiny typo in the profile can turn into confusing runtime failures later, far away from the command that triggered them. The tool is useful, but the feedback loop is rough.
chaostheory•53m ago
Are sandbox-exec and seatbelt no longer deprecated? I genuinely don’t know. I am asking
selridge•39m ago
Still deprecated. Still in use by everyone.
blahgeek•45m ago
Although macOS do provide many little known useful tools (besides this, there’s also dtrace, pf, etc), I still run a Linux VM in my MacBook for daily work. Thing is, the effort I spend on learning these tools is almost wasteful unless I’m doing iOS or macOS development. Skills about Linux tools however, is something people considered valuable because of its wider application. I think apple is missing opportunities by not doing more about macOS Server platform.
cjbarber•18m ago
See also:

https://github.com/obra/packnplay

https://github.com/strongdm/leash

https://github.com/lynaghk/vibe

(I've been collecting different tools for sandboxing coding agents)

cjbarber•16m ago
And from this thread I also see:

https://github.com/eugene1g/agent-safehouse via CGamesPlay

https://multitui.com/ via davidcann

ksherlock•13m ago

    alias sandbox-no-network='sandbox-exec -p "(version 1)(allow default)(deny network*)"'
pro-tip on alias:

for sh-compliant shells, including a whitespace at the end of the alias string causes the next token to also go through alias expansion. (maybe it would also be a hint to the shell for tab completion as well). This is a perfect example of when, where, and why you would want to do that.

I Verified My LinkedIn Identity. Here's What I Handed Over

https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/
637•ColinWright•9h ago•249 comments

Keep Android Open

https://f-droid.org/2026/02/20/twif.html
1818•LorenDB•22h ago•625 comments

macOS's Little-Known Command-Line Sandboxing Tool (2025)

https://igorstechnoclub.com/sandbox-exec/
98•Igor_Wiwi•2h ago•34 comments

How far back in time can you understand English?

https://www.deadlanguagesociety.com/p/how-far-back-in-time-understand-english
26•spzb•3d ago•15 comments

I found a Vulnerability. They found a Lawyer

https://dixken.de/blog/i-found-a-vulnerability-they-found-a-lawyer
775•toomuchtodo•21h ago•351 comments

Turn Dependabot off

https://words.filippo.io/dependabot/
572•todsacerdoti•19h ago•167 comments

AI uBlock Blacklist

https://github.com/alvi-se/ai-ublock-blacklist
96•rdmuser•8h ago•36 comments

Facebook is cooked

https://pilk.website/3/facebook-is-absolutely-cooked
1319•npilk•22h ago•718 comments

Andrej Karpathy talks about "Claws"

https://simonwillison.net/2026/Feb/21/claws/
234•helloplanets•6h ago•363 comments

Ggml.ai joins Hugging Face to ensure the long-term progress of Local AI

https://github.com/ggml-org/llama.cpp/discussions/19759
784•lairv•1d ago•206 comments

Wikipedia deprecates Archive.today, starts removing archive links

https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-archive-today-after-site-executed-ddos...
533•nobody9999•22h ago•310 comments

CXMT has been offering DDR4 chips at about half the prevailing market rate

https://www.koreaherald.com/article/10679206
44•phront•2h ago•15 comments

CERN rebuilt the original browser from 1989 (2019)

https://worldwideweb.cern.ch
221•tylerdane•17h ago•78 comments

Padlet (YC W13) Is Hiring in San Francisco and Singapore

https://padlet.jobs
1•coffeebite•4h ago

Lean 4: How the theorem prover works and why it's the new competitive edge in AI

https://venturebeat.com/ai/lean4-how-the-theorem-prover-works-and-why-its-the-new-competitive-edg...
96•tesserato•4d ago•44 comments

Coccinelle: The Linux kernel's source-to-source transformation tool

https://github.com/coccinelle/coccinelle
50•anon111332142•8h ago•16 comments

The bare minimum for syncing Git repos

https://alexwlchan.net/2026/bare-git/
31•speckx•3d ago•16 comments

Every company building your AI assistant is now an ad company

https://juno-labs.com/blogs/every-company-building-your-ai-assistant-is-an-ad-company
252•ajuhasz•21h ago•127 comments

What Is OAuth?

https://leaflet.pub/p/did:plc:3vdrgzr2zybocs45yfhcr6ur/3mfd2oxx5v22b
171•cratermoon•15h ago•63 comments

Approaches to writing two-sentence journal entries

https://alexanderbjoy.com/two-sentence-journal-approaches/
55•fi-le•3d ago•2 comments

JWasm: Masm Compatible Assembler

https://github.com/Baron-von-Riedesel/JWasm
13•doener•4d ago•1 comments

Understanding Std:Shared_mutex from C++17

https://www.cppstories.com/2026/shared_mutex/
33•ibobev•4d ago•17 comments

Index, Count, Offset, Size

https://tigerbeetle.com/blog/2026-02-16-index-count-offset-size/
133•ingve•3d ago•62 comments

When etcd crashes, check your disks first

https://nubificus.co.uk/blog/etcd/
33•_ananos_•9h ago•11 comments

Blue light filters don't work – controlling total luminance is a better bet

https://www.neuroai.science/p/blue-light-filters-dont-work
203•pminimax•22h ago•195 comments

Gitas – A tool for Git account switching

https://github.com/letmutex/gitas
44•letmutex•4d ago•36 comments

The path to ubiquitous AI (17k tokens/sec)

https://taalas.com/the-path-to-ubiquitous-ai/
784•sidnarsipur•1d ago•427 comments

OpenScan

https://openscan.eu/pages/scan-gallery
198•joebig•20h ago•18 comments

Cord: Coordinating Trees of AI Agents

https://www.june.kim/cord
122•gfortaine•15h ago•66 comments

Show HN: Mines.fyi – all the mines in the US in a leaflet visualization

https://mines.fyi/
97•irasigman•19h ago•49 comments