- ✅
src/macos-sandbox.ts- macOS sandbox implementation using sandbox-exec - ✅
src/platform-sandbox.ts- Cross-platform abstraction layer - ✅
src/sandbox-manager.ts- Updated to use PlatformSandbox - ✅
src/index.ts- Exports macOS classes
- ✅ Deny access to sensitive paths (
.ssh,.aws,.gnupg, etc.) - ✅ Allow access to working directory
- ✅ Allow read access to system directories (
/usr,/System, etc.) - ✅ Allow network access (controlled via proxy)
- ✅ Allow process execution
- ✅ Temporary profile file creation and cleanup
- ✅ Automatic platform detection (
darwinvslinux) - ✅ Platform-specific error messages
- ✅
PlatformSandbox.isAvailable()checks for sandbox-exec - ✅
PlatformSandbox.getSandboxType()returns implementation name
✅ TESTED AND VERIFIED
- All 22 tests passing
- Security validation confirmed
- Bubblewrap 0.9.0 working
- Code implemented but not tested on actual macOS
- Need to run on macOS to verify
# 1. Clone the repo
git clone <repo-url>
cd bubblewrap
# 2. Install dependencies
npm install
# 3. Build
npm run build
# 4. Verify sandbox-exec is available
which sandbox-exec
sandbox-exec -h
# 5. Run tests
npm test
# 6. Specifically run security validation
npm test -- src/__tests__/security-validation.test.ts
# 7. Or use the quick test script
./scripts/test-locally.shWhen running on macOS:
PlatformSandboxdetectsplatform() === 'darwin'- Creates
MacOSSandboxinstance - Generates Seatbelt profile on each command
- Runs
sandbox-exec -f <profile> <command> - Should block same paths as Linux version
Generated profile looks like this:
(version 1)
(debug deny)
(allow default)
; Deny sensitive paths
(deny file-read* file-write*
(subpath "/Users/username/.ssh")
(subpath "/Users/username/.aws")
(subpath "/Users/username/.config/gcloud")
)
; Allow working directory
(allow file-read* file-write*
(subpath "/Users/username/project")
)
; Allow system directories
(allow file-read*
(subpath "/usr")
(subpath "/System")
)-
sandbox-exec limitations:
- Less restrictive than bubblewrap
- Network filtering is limited (relies on proxy)
- Process isolation is weaker
-
Seatbelt is deprecated:
- macOS has moved to App Sandbox for apps
sandbox-execstill works but is legacy- Future macOS versions might remove it
-
Root/sudo:
- May need additional permissions
- Some operations might bypass sandbox
If sandbox-exec doesn't work well:
# Run in Docker container on macOS
docker run --rm -v $(pwd):/workspace sandbox-image- More modern but requires app bundle
- Better isolation but more complex
- Run Linux VM via UTM/Parallels
- Use bubblewrap inside VM
The workflow is set up to test on both platforms:
test-linux: Ubuntu with bubblewraptest-macos: macOS with sandbox-exec
Once you push, GitHub Actions will test on actual macOS.
To complete macOS support:
- ✅ Code is written
⚠️ Need to test on actual macOS machine- ⏳ Need to verify sandbox-exec blocks paths correctly
- ⏳ May need to adjust Seatbelt profile based on testing
- ⏳ Document any macOS-specific quirks
When you test on macOS, verify these:
- Platform detection works (
Platform: darwin) - sandbox-exec is found
- Seatbelt profile is created in /tmp
- SSH key access is blocked (
~/.ssh/id_rsa) - AWS credentials are blocked (
~/.aws/credentials) - Working directory access is allowed
- System files are blocked (
/etc/sudoers) - Subprocess isolation works
- Profile cleanup works (no /tmp pollution)
- Performance is acceptable (<100ms overhead)
| Component | Linux | macOS | Status |
|---|---|---|---|
| Core implementation | ✅ | ✅ | Complete |
| Platform detection | ✅ | ✅ | Complete |
| Tests written | ✅ | ✅ | Complete |
| Tests passing | ✅ | Need macOS machine | |
| Documentation | ✅ | ✅ | Complete |
| GitHub Actions | ✅ | ✅ | Ready to test |
Overall: 95% complete, waiting for macOS testing