Again, it’s blacklisting so kind of impossible to get right. I’ve looked at this many times, but in order for things to properly work, you have to create a huge, huge, huge, huge sandbox file.
Especially for your application that you any kind of Apple framework.
eluded7 17 minutes ago [-]
Personally I would probably always reach for a docker container if I want a sandboxed command that can run identically anywhere.
I appreciate that alternate sandboxing tools can reduce some of the heavier parts of docker though (i.e. building or downloading the correct image)
The text says that it uses OS-level tools, specifically bubble wrap on Linux.
time0ut 15 minutes ago [-]
Very interesting. I just started researching this topic yesterday to build something for adjacent use cases (sandboxing LLM authored programs). My initial prototype is using a wasm based sandbox, but I want something more robust and flexible.
Some of my use cases are very latency sensitive. What sort of overhead are you seeing?
alyxya 33 minutes ago [-]
Cool project, and I think there would be a lot of value in just logging all operations.
kimixa 14 minutes ago [-]
For just logging would it really give any more info than a trace already does?
2 days ago [-]
Rendered at 18:03:14 GMT+0000 (Coordinated Universal Time) with Vercel.
Especially for your application that you any kind of Apple framework.
I appreciate that alternate sandboxing tools can reduce some of the heavier parts of docker though (i.e. building or downloading the correct image)
How would you compare this tool to say bubblewrap https://github.com/containers/
Some of my use cases are very latency sensitive. What sort of overhead are you seeing?