NAC provides a lightweight virtual environment for macOS with container-like user experience.
NAC does not need the root privilege and does not conflict with System Integrity Protection (SIP).
Note that NAC is Not A Container; NAC does not provide a secure isolation in any way.
In this sense, NAC is akin to Python's venv rather than Docker.
make
sudo make installThe command below virtually mounts $HOME/usr_local into /usr/local:
nac run -it --rm -v $HOME/usr_local:/usr/local host bashThe syntax of nac run is similar to docker run, but nac run does not support "images" yet.
Warning
Some applications (such as Homebrew) may not recognize the virtual mounts.
Be cautious, especially when removing or overwriting a file on a virtual mount. It may potentially result in removing or or overwriting a file on the real filesystem.
Note
GUI applications do not work (yet).
NAC copies a command binary into a temporary directory and attaches
the com.apple.security.cs.allow-dyld-environment-variables entitlement to it
so that dylib calls for libc can be intercepted with DYLD_INSERT_LIBRARIES.
Non-dylib calls, such as a direct invocation of the svc (ARM) / syscall (Intel) instructions, are not intercepted.
- Support running multiple Homebrew instances with isolated
/opt/homebrew - Build a fork of
/usr/lib/system/libsystem_kernel.dylib, and inject it viaDYLD_LIBRARY_PATH. This is expected to be more robust and will need less amount of hooks. However, it seems very hard to compilelibsystem_kernel.dylibfrom the source.