Comment by ca_tech
2 days ago
If you are running MacOS, I would recommend Agent Safehouse. Well maintained and is built on existing sandbox-exec so you are not locked in and can always build your own rules independent of the CLI tool.
https://github.com/eugene1g/agent-safehouse/ https://news.ycombinator.com/item?id=47301085
Seconding this. I've been running Safehouse for months and love that it can wrap any process (it's just a wrapper around the native macOS sandbox API, after all). The only thing I miss is the ability to limit network access, which isn't supported by the API.
Safehouse author here - glad you found it helpful. It didn't even occur to me to add --offline mode because my mental model is anchored in agents which often require network access. Until we add this, the easiest option is to create a custom policy and then reference it with Safehouse (I usually setup shell aliases/funciton for this)
Hello! I was definitely not looking to block all network access. I would want to maintain a whitelist of hosts and IPs. I don't know if that's possible?
1 reply →