Allow running sub-processes under a Seatbelt policy

Resolved 💬 3 comments Opened May 7, 2025 by mikehearn Closed Jan 3, 2026

macOS has a very nice albeit undocumented sandboxing system that can restrict commands in flexible ways (moreso than just at the syscall level). It'd be great if commands could be run via the sandbox-exec command on macOS with a custom policy to restrain it to the given directory in a way that's more robust than whitelisting globs on command paths. I have some sandboxing experience and can help craft a useful policy if wanted.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗