We need more selinux and sandbox-exec in daily dev lives. There's no reason to bring a whole new system along just to restrict some access.

Docker is just a shim on kernel isolation APIs. It’s not any different, but better packaged.

But irrelevant in this case. I dev on macOS. I’m not aware of any other options.

sandbox-exec. It's not great, but it's usable. https://igorstechnoclub.com/sandbox-exec/

> It’s not any different

It's very different. With docker on Mac you're running a VM which runs a wrapped up complete system that runs your app.

With selinux/sandbox-exec you run just your app and can skip the extra packaging needed for docker and mounts. (And get the extra performance)

Does selinux/sandbox-exec work on a Mac? Is this an apples to apples comparison?

sandbox-exec is a Mac exclusive thing.

Wow TIL

Any references to how you use selinux? I've used bwrap and firejail, but I don't feel confident that I'm not leaving holes open?

Honestly - no. To use selinux you need to commit to actually learning how it works and experimenting a bit. I don't think there's an easier way than reading both redhat (https://docs.redhat.com/en/documentation/red_hat_enterprise_...) and NSA (https://www.nsa.gov/portals/75/documents/resources/everyone/...) docs.

If you're happy with firejail, make sure you use whitelists only and you'll be 90% there with what's possible to achieve.