I’d like to explore adding optional OS-level sandboxing around hook execution, using platform capabilities such as macOS Seatbelt and Linux Landlock.
This could help with two related goals:
-
Enforce read-only hooks
Some hooks are intended to only inspect files. If that can be enforced by the OS, prek could run those hooks more aggressively in parallel without worrying about file write conflicts.
-
Reduce risk from third-party hooks
Remote hooks execute third-party code. A sandbox could reduce the impact of accidental or malicious behavior by limiting what hook processes can access or modify.
This should likely start as an opt-in capability, with clear behavior when sandboxing is unavailable on the current platform.
I’d like to explore adding optional OS-level sandboxing around hook execution, using platform capabilities such as macOS Seatbelt and Linux Landlock.
This could help with two related goals:
Enforce read-only hooks
Some hooks are intended to only inspect files. If that can be enforced by the OS,
prekcould run those hooks more aggressively in parallel without worrying about file write conflicts.Reduce risk from third-party hooks
Remote hooks execute third-party code. A sandbox could reduce the impact of accidental or malicious behavior by limiting what hook processes can access or modify.
This should likely start as an opt-in capability, with clear behavior when sandboxing is unavailable on the current platform.