Add option to pass through arguments to brwap, use shlex for dry-run

Cargo.lock

@@ -9,6 +9,7 @@ dependencies = [
  "clap",
  "glob",
  "serde",
+ "shlex",
  "tempfile",
  "toml",
 ]
@@ -372,6 +373,12 @@ dependencies = [
  "serde_core",
 ]
 
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
 [[package]]
 name = "strsim"
 version = "0.11.1"

Cargo.toml

@@ -15,7 +15,9 @@ path = "src/main.rs"
 clap = { version = "4", features = ["derive"] }
 glob = "0.3"
 serde = { version = "1", features = ["derive"] }
+shlex = "1.3.0"
 toml = "1"
 
 [dev-dependencies]
+shlex = "1.3.0"
 tempfile = "3"

src/cli.rs

@@ -58,6 +58,10 @@ pub struct Args {
     #[arg(long = "mask", value_name = "PATH", action = clap::ArgAction::Append)]
     pub mask: Vec<PathBuf>,
 
+    /// Pass an arbitrary argument directly to bwrap (repeatable)
+    #[arg(long = "bwrap-arg", value_name = "ARG", action = clap::ArgAction::Append)]
+    pub bwrap_args: Vec<String>,
+
     /// Command and arguments to run inside the sandbox
     #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
     pub command_and_args: Vec<OsString>,

src/config.rs

@@ -37,7 +37,12 @@ pub fn build(args: Args, file_config: Option<FileConfig>) -> Result<SandboxConfi
         chdir: resolve_chdir(args.chdir, profile.chdir, globals.chdir)?,
         extra_rw: merge_paths(args.extra_rw, &profile.rw, &globals.rw)?,
         extra_ro: merge_paths(args.extra_ro, &profile.ro, &globals.ro)?,
-        mask: merge_mask(args.mask, &profile.mask, &globals.mask),
+        mask: merge_vecs(args.mask, &profile.mask, &globals.mask),
+        bwrap_args: split_bwrap_args(merge_vecs(
+            args.bwrap_args,
+            &profile.bwrap_args,
+            &globals.bwrap_args,
+        ))?,
         command,
         command_args,
     })
@@ -99,7 +104,17 @@ fn merge_paths(
     Ok(config_paths.chain(cli_paths).collect())
 }
 
-fn merge_mask(cli: Vec<PathBuf>, profile: &[PathBuf], globals: &[PathBuf]) -> Vec<PathBuf> {
+fn split_bwrap_args(raw: Vec<String>) -> Result<Vec<String>, SandboxError> {
+    let mut out = Vec::new();
+    for value in &raw {
+        let words =
+            shlex::split(value).ok_or_else(|| SandboxError::InvalidBwrapArg(value.clone()))?;
+        out.extend(words);
+    }
+    Ok(out)
+}
+
+fn merge_vecs<T: Clone>(cli: Vec<T>, profile: &[T], globals: &[T]) -> Vec<T> {
     globals.iter().chain(profile).cloned().chain(cli).collect()
 }
 
@@ -204,6 +219,8 @@ pub struct Options {
     pub ro: Vec<PathBuf>,
     #[serde(default)]
     pub mask: Vec<PathBuf>,
+    #[serde(default)]
+    pub bwrap_args: Vec<String>,
 }
 
 impl Options {

src/errors.rs

@@ -24,6 +24,7 @@ pub enum SandboxError {
     ConflictingMode,
     UnknownConfigKey(String),
     ConfigPathNotAbsolute(PathBuf),
+    InvalidBwrapArg(String),
 }
 
 impl std::fmt::Display for SandboxError {
@@ -65,6 +66,9 @@ impl std::fmt::Display for SandboxError {
             Self::ConfigPathNotAbsolute(p) => {
                 write!(f, "config path is not absolute: {}", p.display())
             }
+            Self::InvalidBwrapArg(s) => {
+                write!(f, "invalid quoting in --bwrap-arg: {s}")
+            }
         }
     }
 }

src/lib.rs

@@ -26,6 +26,7 @@ pub struct SandboxConfig {
     pub extra_rw: Vec<PathBuf>,
     pub extra_ro: Vec<PathBuf>,
     pub mask: Vec<PathBuf>,
+    pub bwrap_args: Vec<String>,
     pub command: PathBuf,
     pub command_args: Vec<OsString>,
     pub chdir: PathBuf,
@@ -63,9 +64,16 @@ pub fn run(config: SandboxConfig) -> Result<(), SandboxError> {
     let mut cmd = sandbox::build_command(&config)?;
 
     if config.dry_run {
-        println!("{:?}", cmd);
+        println!("{}", shell_quote_command(&cmd));
         return Ok(());
     }
 
     Err(SandboxError::Io(cmd.exec()))
 }
+
+fn shell_quote_command(cmd: &std::process::Command) -> String {
+    let prog = cmd.get_program().to_string_lossy();
+    let args = cmd.get_args().map(|a| a.to_string_lossy());
+    let all: Vec<_> = std::iter::once(prog).chain(args).collect();
+    shlex::try_join(all.iter().map(|s| s.as_ref())).unwrap()
+}

src/sandbox.rs

@@ -41,6 +41,8 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
 
     apply_masks(&mut cmd, &config.mask);
 
+    cmd.args(&config.bwrap_args);
+
     cmd.arg("--")
         .arg(&config.command)
         .args(&config.command_args);

tests/integration.rs

@@ -245,6 +245,20 @@ fn dry_run_prints_and_exits() {
     );
 }
 
+#[test]
+fn dry_run_output_is_copy_pasteable_shell() {
+    let dry = sandbox(&["--dry-run"])
+        .args(["--", "bash", "-c", "echo $HOME"])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    let dry_cmd = String::from_utf8_lossy(&dry.stdout).trim().to_string();
+    let args = shlex::split(&dry_cmd).expect("dry-run output is not valid shell");
+    assert_eq!(args[0], "bwrap");
+    assert_eq!(args[args.len() - 1], "echo $HOME");
+    assert_eq!(args[args.len() - 2], "-c");
+}
+
 #[test]
 fn blacklist_overlays_survive_tmp_bind() {
     fs::write("/tmp/ssh-sandbox-test", "secret").expect("failed to write sentinel");
@@ -649,6 +663,20 @@ fn mask_hides_file() {
     );
 }
 
+#[test]
+fn bwrap_arg_setenv_passes_through() {
+    let output = sandbox(&["--bwrap-arg", "--setenv MYVAR hello"])
+        .args(["--", "bash", "-c", "echo $MYVAR"])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
+    assert_eq!(
+        stdout, "hello",
+        "expected --bwrap-arg to pass --setenv through to bwrap, got: {stdout}"
+    );
+}
+
 #[test]
 fn mask_nonexistent_path_becomes_tmpfs() {
     let dir = TempDir::new().unwrap();