mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bind symlinked rw/ro paths at the user-written destination

Browse Source 
Canonicalizing rw/ro paths in the config layer resolved symlinks before
the sandbox was built, so a symlinked entry only appeared at its
target's location -- never at the path the user wrote. Stop
canonicalizing rw/ro at the config layer and instead resolve only the
source side of the bind in sandbox.rs.
This commit is contained in:
Kristóf Tóth
2026-04-07 17:45:38 +02:00
parent f0711f2894
commit 83bd4305c7
3 changed files with 91 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/sandbox.rs
+8 -8
View File
@@ -180,17 +180,17 @@ fn ro_bind_under_tmpfs(cmd: &mut Command, base: &str, paths: &[&str]) {
}
fn add_rw_bind(cmd: &mut Command, path: &Path) -> Result<(), SandboxError> {
if !path.exists() {
return Err(SandboxError::PathMissing(path.to_path_buf()));
}
cmd.arg("--bind").arg(path).arg(path);
let source = resolve_bind_source(path)?;
cmd.arg("--bind").arg(source).arg(path);
Ok(())
}
fn add_ro_bind(cmd: &mut Command, path: &Path) -> Result<(), SandboxError> {
if !path.exists() {
return Err(SandboxError::PathMissing(path.to_path_buf()));
}
cmd.arg("--ro-bind").arg(path).arg(path);
let source = resolve_bind_source(path)?;
cmd.arg("--ro-bind").arg(source).arg(path);
Ok(())
}
fn resolve_bind_source(path: &Path) -> Result<PathBuf, SandboxError> {
std::fs::canonicalize(path).map_err(|_| SandboxError::PathMissing(path.to_path_buf()))
}