mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add /sys to whitelist mode

Browse Source
This commit is contained in:
Kristóf Tóth
2026-03-25 22:22:35 +01:00
parent dccf2309a5
commit 0bd91ffad2
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/sandbox.rs
View File

@@ -116,6 +116,8 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
cmd.args(["--ro-bind-try", path, path]); cmd.args(["--ro-bind-try", path, path]);
} }
cmd.args(["--ro-bind-try", "/sys", "/sys"]);
let local_bin = format!("{home}/.local/bin"); let local_bin = format!("{home}/.local/bin");
cmd.arg("--ro-bind-try").arg(&local_bin).arg(&local_bin); cmd.arg("--ro-bind-try").arg(&local_bin).arg(&local_bin);

14
tests/integration.rs
View File

@@ -325,6 +325,20 @@ fn empty_home_rejected() {
); );
} }
#[test]
fn whitelist_sys_is_readable() {
let output = sandbox(&["--whitelist"])
.args(["--", "bash", "-c", "cat /sys/class/net/lo/address"])
.output()
.expect("agent-sandbox binary failed to execute");
let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
assert_eq!(
stdout, "00:00:00:00:00:00",
"expected loopback address from /sys, got: {stdout}"
);
}
#[test] #[test]
fn new_session_isolates_sid() { fn new_session_isolates_sid() {
let inner_sid = read_sid_inside_sandbox(&[]); let inner_sid = read_sid_inside_sandbox(&[]);