Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So my somewhat shaky understanding is that Apple does have some form of jails in Darwin, because they use it on iOS (hence, "jailbreaking"), but for some reason doesn't ship it in desktop Darwin (aka macOS).


Apple’s sandbox focuses on isolating the OS from non-platform binaries. It doesn’t have namespaces or cgroups.

Jailbreaking on iOS is mostly about that sandbox. It doesn’t relate to BSD jails.

On macOS, Apple made the sandbox more lenient and implemented it a bit differently than on iOS. But both have roughly the same goals. They’re also alike in that both use the same kernel-level framework (MACF) to do their job.

But the MACF is completely off-limits to everyone outside Apple. Not even accredited kext developers can use it. So I think that no one except Apple could possibly add container-style isolation to macOS.


As far as I'm aware, macOS' sandbox isn't like the kernel namespaces and cgroups available on Linux.


> Apple does have some form of jails in Darwin

Thinking about the names Apple might call this tech is amusing, with their use of ‘me’ ‘I’ ‘Apple’ etc. I assume ‘Jail’ wouldn’t be in the name.


iSolation


It exists on macOS but doesn’t support the mount namespacing you’d need to create something like a docker container on macOS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: