Allow running sub-processes under a Seatbelt policy
Resolved 💬 3 comments Opened May 7, 2025 by mikehearn Closed Jan 3, 2026
macOS has a very nice albeit undocumented sandboxing system that can restrict commands in flexible ways (moreso than just at the syscall level). It'd be great if commands could be run via the sandbox-exec command on macOS with a custom policy to restrain it to the given directory in a way that's more robust than whitelisting globs on command paths. I have some sandboxing experience and can help craft a useful policy if wanted.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗