Hacker News: bdash

New comment by bdash in "macOS's Little-Known Command-Line Sandboxing Tool (2025)"

bdash — Sat, 21 Feb 2026 19:08:24 +0000

It is a little more direct than that even. The application's entitlements are passed into the interpretation of the sandbox profile. It is the sandbox profile itself that determines which policies should be applied in the resulting compiled sandbox policy based on entitlements and other factors.

An example from /System/Library/Sandbox/Profiles/application.sb, the profile that is used for App Sandboxed applications, on my system:

  (when (entitlement "com.apple.security.files.downloads.read-only")
        (read-only-and-issue-extensions (home-subpath "/Downloads")))
  (when (entitlement "com.apple.security.files.downloads.read-write")
        (read-write-and-issue-extensions (home-subpath "/Downloads")))
  (when (or (entitlement "com.apple.security.files.downloads.read-only")
            (entitlement "com.apple.security.files.downloads.read-write"))
        (allow process-exec (home-subpath "/Downloads")))

New comment by bdash in "macOS's Little-Known Command-Line Sandboxing Tool (2025)"

bdash — Sat, 21 Feb 2026 18:43:19 +0000

App Sandbox is fundamentally a way for programs to use the underlying sandbox subsystem without having to write SBPL code themselves. When a program has opted into the App Sandbox, the system applies one of these sandbox policies automatically during app initialization. The policy examines the entitlements of the application to determine which additional resources should be permitted. See /System/Library/Sandbox/Profiles/application.sb if you're curious.

By far the biggest advantage of App Sandbox is that the policy ships along with the OS. If a system framework changes what resources it accesses in a software update, Apple can update the policy so the framework functionality still works. If your app uses a custom sandbox policy, you're on your own to both notice that something has changed and to update your policy.

The downside is that the App Sandbox policy is limiting and inflexible.

New comment by bdash in "macOS's Little-Known Command-Line Sandboxing Tool (2025)"

bdash — Sat, 21 Feb 2026 18:31:09 +0000

See https://bdash.net.nz/posts/sandboxing-on-macos/ for more details on how sandboxing works on macOS. It touches on how the SBPL Scheme source code is interpreted in userspace to build a bytcode representation of the policy, and the kernel MAC hooks that the Sandbox kernel extension uses for enforcing sandbox policies.

New comment by bdash in "Demystifying ARM SME to Optimize General Matrix Multiplications"

bdash — Sun, 01 Feb 2026 01:26:23 +0000

There are SME / SME2 instructions that use the ZA tiles as vector registers / vector groups. These can take advantage of the higher throughput of the SME processing grid vs SSVE instructions that operate on Z registers. See the `FMLA (SME2)` case under Peak Performance at https://scalable.uni-jena.de/opt/sme/micro.html#peak-perform....

New comment by bdash in "Demystifying ARM SME to Optimize General Matrix Multiplications"

bdash — Sun, 01 Feb 2026 00:39:41 +0000

Intel's software optimization guides have similar annotations on many of their guidelines, and have done since long before LLMs were a thing. As a reader it's useful to know how impactful a given recommendation is and how generally applicable it is without having to read the more detailed explanations.

New comment by bdash in "Demystifying ARM SME to Optimize General Matrix Multiplications"

bdash — Sun, 01 Feb 2026 00:00:56 +0000

SSVE instructions are executed by the SME engine, which trades latency for throughput. SSVE is really intended to support use of SME, rather than as a replacement for Advanced SIMD on the CPU core itself.

The Apple Silicon CPU Optimization Guide has a lot of great information on SME and SSVE, along with more general information on optimizing for Apple's CPUs

A few quotes from Apple's guide that are particularly relevant to SSVE, from "SSVE Vector Execution Unit Optimization":

> Broadly, this unit is designed to support long vector and matrix operations performed on ZA storage _in the SME Processing Grid_.

> Recommendation: Use SSVE in a supporting role to enable high throughput SME grid computation.

> [Magnitude: High | Applicability: High] SSVE offers wide 64B vectors. While the ISA includes instructions that can operate on multi-vectors, the throughput is often only one 64B vector per cycle. Use SSVE to enable SME, which offers higher parallelism.

> Because of non-speculative execution, communication latencies, and in some cases long memory and computation latencies, SME engine instructions trail execution in the core by dozens to thousands of cycles. Any core compute instructions that consume data produced by the SME engine may have to wait an indeterminate (but long) amount of time for the data to arrive.

Spinning around: Please don’t – Common problems with spin locks

bdash — Wed, 28 Jan 2026 16:48:59 +0000

Article URL: https://www.siliceum.com/en/blog/post/spinning-around/

Comments URL: https://news.ycombinator.com/item?id=46797868

Points: 158

# Comments: 63

New comment by bdash in "Electron-based apps cause system-wide lag on macOS 26 Tahoe"

bdash — Thu, 25 Sep 2025 21:33:37 +0000

Strangely the WindowServer issue is a constant issue on my personal MacBook Pro, but I've never seen it on my identical work MacBook Pro. It seems like there's some other factor that is necessary to trigger the problem.

New comment by bdash in "Electron-based apps cause system-wide lag on macOS 26 Tahoe"

bdash — Thu, 25 Sep 2025 21:29:59 +0000

I'd sorta hope they are testing widely-used applications in the way that typical end users will experience them before releasing a new OS version.

New comment by bdash in "Electron-based apps cause system-wide lag on macOS 26 Tahoe"

bdash — Thu, 25 Sep 2025 19:40:51 +0000

This affects some of the most widely used applications on the platform, including "productivity" applications such as Slack that Apple uses internally. How did no-one at Apple notice this and do something about it prior to macOS 26 being released?

New comment by bdash in "I made a real-time C/C++/Rust build visualizer"

bdash — Fri, 15 Aug 2025 02:38:22 +0000

I've had success using https://github.com/nico/ninjatracing along with Clang's `-ftime-trace` to visualize the build performance of a C++ project using CMake. https://github.com/aras-p/ClangBuildAnalyzer helps further break down what the compiler is spending its time on.

New comment by bdash in "How easy is it for a developer to "sandbox" a program?"

bdash — Sun, 15 Jun 2025 18:53:00 +0000

It mostly seems to be deprecated to encourage developers to use App Sandbox rather than doing custom sandboxing things. With custom sandboxing baking implementation details of system frameworks into the sandbox policy is almost unavoidable, and Apple would really rather you didn't do that as it limits their ability to make changes in the future.

The underlying sandbox subsystem is what App Sandbox uses. Apple can happily rely on implementation details of system frameworks in their policies because they can update them as the system frameworks change.

The sandbox subsystem is what all of Apple's system software uses for sandboxing, as well as many security-conscious third-party programs such as web browsers. It's not going anywhere anytime soon, despite being marked as deprecated.

New comment by bdash in "Mac app launches slowed by malware scan (2024)"

bdash — Fri, 02 May 2025 00:13:10 +0000

What's most amusing is that in the most recent blog post (https://eclecticlight.co/2025/04/30/why-some-apps-sometimes-...), the handful of log statements that serve as the source of the claim in fact confirm that it is syspolicyd performing a malware scan that is responsible for the delay during launch.

11.012004 com.apple.syspolicy.exec Recording cache miss for

20.898736 AppleSystemPolicy Waking up reference: 174

The first of the two messages is from `syspolicyd` and is reporting that it has no cached malware scan result for a file it was asked to scan. The malware scan is triggered by an up-call within the AppleSystemPolicy kernel extension during a MACF hook (`proc_notify_exec_complete`, `file_check_library_validation`, or `file_check_mmap`) if the kext doesn’t have a cached malware scan result for the vnode of the file in question.

The second log message is from the AppleSystemPolicy kernel extension when it receives the result of the malware scan and permits the process to resume execution.

It's a little puzzling that the original analysis is published based on speculation, without any real attempt at verifying that the data supports their hypothesis. Looking at `top` or Activity Monitor during the slow launch would show which process is performing work. A spindump captured during the slow launch would reveal what work it is doing. The system log store captures the process and subsystem that logged any given message. A few minutes in Binary Ninja or Hopper gives you a rough idea of what the code that emits the log is doing.

New comment by bdash in "‘Bluey’s World’: How a Cute Aussie Puppy Became a Juggernaut"

bdash — Sat, 22 Mar 2025 16:06:49 +0000

Doctor Bandit Heeler is an archeologist. https://www.youtube.com/watch?v=Uiv_V7QOy3A

Doom II running on an Avengers Infinity Quest pinball machine [video]

bdash — Tue, 14 Jan 2025 18:12:50 +0000

Article URL: https://www.youtube.com/watch?v=Nf8uIzg_aUA

Comments URL: https://news.ycombinator.com/item?id=42701335

Points: 2

# Comments: 0

New comment by bdash in "TCC and the macOS Platform Sandbox Policy"

bdash — Tue, 10 Dec 2024 06:46:00 +0000

The code snippets are purely declarative because they are reconstructed from the simple bytecode that the macOS sandbox library generates after evaluating the Scheme code. At that point any abstractions present in the source code are long gone and only predicates and actions remain.

If you look at typical SBPL source code you'll see it tends to contain a mix of straightforward, declarative `(allow …)` policies and custom functions/macros used to simplify repeated patterns. See https://github.com/WebKit/WebKit/blob/11b5279aec6113c661dac3..., for example.

New comment by bdash in "TCC and the macOS Platform Sandbox Policy"

bdash — Tue, 10 Dec 2024 06:32:38 +0000

It still compiles the rules down to a very basic bytecode: https://bdash.net.nz/posts/sandboxing-on-macos/#sandbox-poli...

New comment by bdash in "Firefox-Passwords-Decryptor: Extracts and decrypts passwords saved in Firefox"

bdash — Fri, 01 Nov 2024 01:27:54 +0000

Passkeys are a different story than the keychain more generally. Other browsers that work with passkeys via the system APIs had to jump through hoops and get Apple's approval to do so: https://developer.apple.com/documentation/bundleresources/en...

New comment by bdash in "M4 MacBook Pro"

bdash — Thu, 31 Oct 2024 03:45:27 +0000

When I first run locally-built software I tend to notice XProtect scanning each binary when it is launched. I know that XProtect matches the executable against a pre-downloaded list of malware signatures rather than sending data to the internet, but I haven't monitored network traffic to be sure it is purely local. You can see the malware signatures it uses at /private/var/protected/xprotect/XProtect.bundle/Contents/Resources/XProtect.yara if you're curious.

New comment by bdash in "M4 MacBook Pro"

bdash — Thu, 31 Oct 2024 03:38:44 +0000

I suspect they're referring to changes to Gatekeeper in recent macOS versions: https://arstechnica.com/gadgets/2024/08/macos-15-sequoia-mak...

It used to be that you could run any third-party application you downloaded. And then for a while you'd have to right-click and select Open the first time you ran an application you'd downloaded, and then click through a confirmation prompt. And macOS 15, you have to attempt to open the application, be told it is unsafe, and then manually approve it via system settings.