Ask HN: Development Environment Sandboxing on macOS

3 points by suchar ↗ HN
I've been thinking of ways to sandbox development-related programs/processes/data on the MacOS. A primary use case is to protect the whole system from the, for example, malicious NPM library. I'm aware that there is some application sandboxing built-in into the MacOS. However, I don't know to what extent it covers this use case.

For this discussion, let's consider full-fledged IDE, like IntelliJ Idea, and skip remote development using VSCode/CLI editor over SSH/TRAMP/Projector. Also, examine a case where we would like to run multiple different applications inside the same sandbox for a specific project (e.g., IntelliJ + iTerm).

Please focus on the MacOS — I already know how to solve this issue on Linux.

4 comments

[ 4.5 ms ] story [ 21.8 ms ] thread
You seem to have a problem that actually doesn't exist, if you use Linux containers atop macOS–or, you haven't explained the root of your problem well enough.

Plus, there is yarn.

The problem is running, possibly untrusted, code in isolation from the host in a convenient way. "Convenient way" is, of course, very subjective: in my case, it is doing as much as possible from the IDE (IntelliJ Idea). As a result, this means sandboxing graphical applications, and I'm not aware of a way to run a graphical application in a Linux container on MacOS.

IntelliJ has access to all downloaded packages (to provide autocompletion, etc.) and run npm/yarn/whatever's scripts/actions. This IDE has a lot of customized support for specific tools, which I find valuable, and wrapping everything in a shell script delegating work to a container means losing this support. At the same time, running IntelliJ as a native application, I'm able to open an embedded terminal and enumerate files in my home folder (with exceptions, like Documents and Downloads, but I'm not able to isolate projects from each other). I'm trying to keep all fancy stuff but isolate different projects from the host and each other.

As for yarn: npm is only an example. The same problem affects almost every package manager. NodeJS ecosystem is convenient here because nearly everybody has heard of some malicious JS package.

Sounds as if you want IntelliJ Idea to implement VSCode isolation features, though that won't necessarily solve the issue of malicious JS packages.

If you're really that concerned with the lack of provenance of your JS libraries, you can 1) analyze the source of every dependency, direct or indirect, or 2) write code in a different language that you ARE able to trust, then compile to a WebAssembly target.

Just run a full Linux VM with a desktop environment and host the IDE and other apps inside. On relatively recent hardware you should be able to get decent performance and perfect isolation. You can use something like UTM (https://github.com/utmapp/UTM) or VMWare Fusion.