Add mask option to hide paths/files from sandbox

2026-04-01 23:19:08 +02:00
parent 0119834d5a
commit c7c4c673cb
5 changed files with 176 additions and 1 deletions
@@ -1,4 +1,4 @@
-use std::path::Path;
+use std::path::{Path, PathBuf};
 use std::process::Command;

 use crate::agents;
@@ -39,6 +39,8 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
    cmd.arg("--die-with-parent");
    cmd.arg("--chdir").arg(&config.chdir);

+    apply_masks(&mut cmd, &config.mask);
+
    cmd.arg("--")
        .arg(&config.command)
        .args(&config.command_args);
@@ -46,6 +48,16 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
    Ok(cmd)
 }

+fn apply_masks(cmd: &mut Command, masks: &[PathBuf]) {
+    for path in masks {
+        if path.is_file() {
+            cmd.arg("--ro-bind").arg("/dev/null").arg(path);
+        } else {
+            cmd.arg("--tmpfs").arg(path);
+        }
+    }
+}
+
 fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
    let ctx = blacklist::resolve_path_context()?;
    cmd.args(["--ro-bind", "/", "/"]);