mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
33 Commits 1 Branch 0 Tags
83bd4305c7a6f846ce5e5aaeeed4485ba1299fcd
Commit Graph

27 Commits

Author SHA1 Message Date
Kristóf Tóth
83bd4305c7 Bind symlinked rw/ro paths at the user-written destination 
Canonicalizing rw/ro paths in the config layer resolved symlinks before
the sandbox was built, so a symlinked entry only appeared at its
target's location -- never at the path the user wrote. Stop
canonicalizing rw/ro at the config layer and instead resolve only the
source side of the bind in sandbox.rs.
 2026-04-07 17:45:38 +02:00
Kristóf Tóth
cab0eb74d7 Error out if no entrypoint or command is passed (drop claude default) 2026-04-04 10:19:58 +02:00
Kristóf Tóth
062ddab5f8 Add entrypoint option 2026-04-04 10:16:57 +02:00
Kristóf Tóth
8ecba5d6dc Add option to pass through arguments to brwap, use shlex for dry-run 2026-04-04 08:51:08 +02:00
Kristóf Tóth
8958f79ece Document and expand test coverage of config file feature 2026-04-04 08:51:08 +02:00
Kristóf Tóth
db60fb9ddb Reject unknown config keys 2026-04-01 23:51:47 +02:00
Kristóf Tóth
c7c4c673cb Add mask option to hide paths/files from sandbox 2026-04-01 23:19:08 +02:00
Kristóf Tóth
0119834d5a Implement config file parsing and precedence with CLI 2026-03-31 01:22:08 +02:00
Kristóf Tóth
f1d7a14b8d Ensure root filesystem is always read-only inside sandbox 
Whitelist mode's implicit bwrap root was a writable tmpfs, letting the
sandboxed process create files and directories anywhere not covered by
an explicit ro mount. This was not an issue in blacklist mode due to
--ro-bind / / covering that case.

This patch adds --remount-ro / before any other mount to make the base
layer read-only in both modes.
 2026-03-29 16:50:59 +02:00
Kristóf Tóth
99f9395c10 Move require_run_user to lib.rs and make blacklist module private 2026-03-25 23:54:35 +01:00
Kristóf Tóth
5fc7eb3c11 Consolidate whitelist mode setup into add_whitelist_mode 2026-03-25 23:43:48 +01:00
Kristóf Tóth
167439c156 Add fish/nushell history and /tmp leaks to SENSITIVE_PATHS 2026-03-25 23:00:52 +01:00
Kristóf Tóth
6349709024 Add container, WM, package manager, and database sockets to SENSITIVE_PATHS 2026-03-25 22:58:12 +01:00
Kristóf Tóth
d3f8986b77 Sort dirs before files in resolve_overlays 
Glob results within a SENSITIVE_PATHS entry could return files before
their parent directory. When that happens the file gets a null-bind
while its siblings remain visible, because the parent hasn't been added
to tmpfs_dirs yet. Sorting dirs first removes this implicit ordering
dependency.
 2026-03-25 22:54:56 +01:00
Kristóf Tóth
82f84247f1 Rework handling of /run and ${RUNUSER} in blacklist mode 2026-03-25 22:48:39 +01:00
Kristóf Tóth
0bd91ffad2 Add /sys to whitelist mode 2026-03-25 22:22:35 +01:00
Kristóf Tóth
dccf2309a5 Add --new-session to bwrap invocation 2026-03-25 22:15:21 +01:00
Kristóf Tóth
9f82ca21ee Add /dev/input/ to SENSITIVE_PATHS for blacklist mode 2026-03-25 22:00:32 +01:00
Kristóf Tóth
ada9da7ae7 Reject empty HOME envvar 2026-03-20 21:43:08 +01:00
Kristóf Tóth
4112288a30 Ensure passing relative paths to CLI works 2026-03-20 21:36:55 +01:00
Kristóf Tóth
94535b20d3 Fix blacklist bind mount order 2026-03-20 21:02:48 +01:00
Kristóf Tóth
826c6d5531 Add ~/.claude.json to agent paths and use --bind-try 2026-03-20 20:41:24 +01:00
Kristóf Tóth
50dafb4c37 Fix read-only /dev, /proc, /tmp, /var/tmp, /run in blacklist mode 2026-03-20 20:40:57 +01:00
Kristóf Tóth
c8e0d4813a Use --ro-bind-try for system files in whitelist mode 2026-03-20 19:29:53 +01:00
Kristóf Tóth
b4b94856ac Skip run_user overlay when runtime dir is unknown 2026-03-20 19:29:43 +01:00
Kristóf Tóth
9da043a70e Remove redundant /etc/ssh/* glob entry 2026-03-20 19:29:38 +01:00
Kristóf Tóth
bf53d92d49 Initial commit 2026-03-20 18:40:08 +01:00