Comment by mike_hearn
8 months ago
Apple do have those things! People just like bypassing it :) For the AI use case that you're interested in, there are ways to do this that go with Apple's flow, but UNIX hackers tend to be attracted to sandbox-exec because it looks simple even though it's not, and because doing it Apple's way requires learning a lot of Apple specific tech. Whereas the SBPL is deceptively UNIXy and simple looking.
I am very motivated to solve this problem and I have been unable to solve it given Apple's current platform and documentation.
Hm, OK. Is there some reason that dev containers and running agents inside it won't work? I've been looking at AI sandboxing lately and can't quite decide if there's really a problem to solve here, or whether giving the agent a container regardless of platform is what makes the most sense. I guess it depends on whether you're developing apps that can run containerized - most devs do I imagine, but if you're writing mobile or desktop apps then a different strategy would be needed.
I've tried a whole bunch of things. I'm currently using Docker for Desktop and running containers in that, which is OK but feels like a LOT of overhead to address a problem that the core OS has features for solving already.
I want a solution I can distribute to other people where the first step isn't "install Docker".
1 reply →