mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Document hardening, network default, and profile merge rules

Browse Source
This commit is contained in:
Kristóf Tóth
2026-04-22 23:14:39 +02:00
parent 6933deb441
commit 862feada05
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+10 -2
View File
@@ -6,7 +6,7 @@ Sandbox agentic coding assistants with [bubblewrap](https://github.com/container
### Whitelist
Tight sandbox for normal agent coding tasks. Only explicitly listed paths are visible — system binaries, libraries, a subset of `/etc`, `/sys` (all read-only), synthetic `/dev`, private `/proc`, `/tmp`, `/run`, and the working directory (read-write). Everything else is invisible.
Tight sandbox for normal agent coding tasks. Only explicitly listed paths are visible — system binaries, libraries, a subset of `/etc`, `/sys` (all read-only), synthetic `/dev`, private `/proc`, `/tmp`, `/run`, and the working directory (read-write). Everything else is invisible. Whitelist always runs with hardening on (see below).
### Blacklist
@@ -16,6 +16,14 @@ The threat model is prompt injection and accidental damage, not a determined att
**Not protected in blacklist mode:** arbitrary readable files outside the sensitive paths list, and D-Bus method calls (access control is daemon-side).
### Hardening
`--hardened` unshares the IPC, PID, and UTS namespaces and sets the hostname to `sandbox`. This is independent of the filesystem mode and can be combined with either. Whitelist mode enables it unconditionally; blacklist mode leaves it off by default. Use `--no-hardened` to override a config-file `hardened = true` (note: it cannot disable the implicit hardening that comes with whitelist mode).
### Network
The network namespace is shared with the host by default. Pass `--unshare-net` (or set `unshare-net = true` in the config) to isolate it; `--share-net` overrides a config-file `unshare-net = true`.
## Environment filtering
Both modes clamp the environment the child sees so prompt-injected agents can't `printenv` their way to secrets.
@@ -37,7 +45,7 @@ Settings can be stored in a TOML config file at `$XDG_CONFIG_HOME/agent-sandbox/
ln -sf "$(pwd)/config-example.toml" "${XDG_CONFIG_HOME:-$HOME/.config}/agent-sandbox/config.toml"
```
Top-level keys set defaults; `[profile.<name>]` sections define named presets selectable with `--profile <name>`. CLI flags always take highest precedence, followed by the active profile, then top-level defaults.
Top-level keys set defaults; `[profile.<name>]` sections define named presets selectable with `--profile <name>`. CLI flags always take highest precedence, followed by the active profile, then top-level defaults. When a profile is active, list-valued fields (`ro`, `rw`, `mask`, `env`, `unsetenv`, `bwrap-args`) append to the globals; scalar fields (modes, flags, `entrypoint`, `command`, `chdir`) replace them.
```toml
# Global defaults
src/cli.rs
+1 -1
View File
@@ -18,7 +18,7 @@ pub struct Args {
#[arg(long)]
pub whitelist: bool,
/// Harden: unshare IPC, PID, UTS; private /tmp, /dev, /run
/// Harden: unshare IPC, PID, UTS namespaces and set hostname to "sandbox" (implied by --whitelist)
#[arg(long, overrides_with = "no_hardened")]
pub hardened: bool,