docker
/
model-runner
mirror of https://github.com/docker/model-runner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sandbox: adjust macOS sandboxing for Docker Desktop development 

Signed-off-by: Jacob Howard <jacob.howard@docker.com>
This commit is contained in:
Jacob Howard 2025-08-29 16:16:11 -06:00
parent 4d922ff787
commit 1882c4e64e
No known key found for this signature in database
GPG Key ID: 3E8B8F7FEB46FC66
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/sandbox/sandbox_darwin.go
View File

@ -31,9 +31,12 @@ const ConfigurationLlamaCpp = `(version 1)
(allow default) (allow default)
;;; Deny network access, except for our IPC sockets. ;;; Deny network access, except for our IPC sockets.
;;; NOTE: We use different socket nomenclature when running in Docker Desktop
;;; (inference-N.sock) vs. standalone (inference-runner-N.sock), so we use a
;;; wildcard to support both.
(deny network*) (deny network*)
(allow network-bind network-inbound (allow network-bind network-inbound
(regex #"inference-runner-[0-9]+\.sock$")) (regex #"inference.*-[0-9]+\.sock$"))
;;; Deny access to the camera and microphone. ;;; Deny access to the camera and microphone.
(deny device*) (deny device*)
@ -57,6 +60,9 @@ const ConfigurationLlamaCpp = `(version 1)
;;; NOTE: For some reason, the (home-subpath "...") predicate used in system ;;; NOTE: For some reason, the (home-subpath "...") predicate used in system
;;; sandbox profiles doesn't work with sandbox-exec. ;;; sandbox profiles doesn't work with sandbox-exec.
;;; NOTE: We have to allow access to the working directory for standalone mode. ;;; NOTE: We have to allow access to the working directory for standalone mode.
;;; NOTE: We have to allow access to a regex-based Docker.app location to
;;; support Docker Desktop development as well as Docker.app installs that don't
;;; live inside /Applications.
;;; NOTE: For some reason (deny file-read*) really doesn't like to play nice ;;; NOTE: For some reason (deny file-read*) really doesn't like to play nice
;;; with llama.cpp, so for that reason we'll avoid a blanket ban and just ban ;;; with llama.cpp, so for that reason we'll avoid a blanket ban and just ban
;;; directories that might contain sensitive data. ;;; directories that might contain sensitive data.
@ -65,23 +71,24 @@ const ConfigurationLlamaCpp = `(version 1)
(deny file-read* (deny file-read*
(subpath "/Applications") (subpath "/Applications")
(subpath "/private/etc") (subpath "/private/etc")
(subpath "/Library") (subpath "/Library")
(subpath "/Users") (subpath "/Users")
(subpath "/Volumes")) (subpath "/Volumes"))
(allow file-read* file-map-executable (allow file-read* file-map-executable
(subpath "/usr") (subpath "/usr")
(subpath "/System") (subpath "/System")
(subpath "/Applications/Docker.app/Contents/Resources/model-runner") (regex #"Docker\.app/Contents/Resources/model-runner")
(subpath "[HOMEDIR]/.docker/bin/inference") (subpath "[HOMEDIR]/.docker/bin/inference")
(subpath "[HOMEDIR]/.docker/bin/lib")) (subpath "[HOMEDIR]/.docker/bin/lib"))
(allow file-write* (allow file-write*
(regex #"inference-runner-[0-9]+\.sock$")
(literal "/dev/null") (literal "/dev/null")
(subpath "/private/var") (subpath "/private/var")
(subpath "[HOMEDIR]/Library/Containers/com.docker.docker/Data")
(subpath "[WORKDIR]")) (subpath "[WORKDIR]"))
(allow file-read* (allow file-read*
(subpath "[WORKDIR]") (subpath "[HOMEDIR]/.docker/models")
(subpath "[HOMEDIR]/.docker/models")) (subpath "[HOMEDIR]/Library/Containers/com.docker.docker/Data")
(subpath "[WORKDIR]"))
` `
// sandbox is the Darwin sandbox implementation. // sandbox is the Darwin sandbox implementation.