Sandbox Exec
The Sandbox Exec backend uses macOS's built-in sandbox-exec to run commands inside a process-level sandbox profile. It's a lightweight option for restricting filesystem and network access on macOS without standing up a full VM.
Requirements
- macOS
sandbox-exec is shipped with macOS, so no extra installation is required.
Usage
heyvm --backend-type sandbox_execTrade-offs
- Pros: zero-install, very fast startup, no VM overhead.
- Cons: weaker isolation than VM-based backends — processes still run on the host kernel; the sandbox profile only restricts what they can touch.