feat(sandbox): enable LibreOffice in nsjail for document skills

Damien · Damien · commit 51365ef9049c · 2026-06-03T19:07:16.000+02:00
LibreOffice (soffice) needs three things to work in nsjail that the
default sandbox doesn't provide:

1. Access to its config and font discovery directories
   → bind-mount /etc/libreoffice, /etc/fonts, /usr/share/fonts (read-only)

2. /proc visibility — soffice hard-fails with "ERROR: /proc not mounted -
   LibreOffice is unlikely to work well if at all" otherwise. Extend the
   /proc-keeping language allowlist from {java, rs, bash} to also include
   {py, python}. nsjail's PID namespace still restricts /proc visibility
   to sandbox processes; only /proc/cpuinfo and /proc/meminfo leak host
   info, acceptable in the trusted-tenant model.

3. bind(2) syscall — LibreOffice's oosplash and soffice.bin communicate
   via AF_UNIX sockets. The original BUG-006c blocked bind to prevent
   server sockets, but network namespace isolation (--iface_no_lo) already
   prevents external connections, so AF_UNIX bind is safe. Extend the
   allowlist from {bash} to {py, python, java, bash}.

Same /proc handling applied to pool.py (Python REPL) and programmatic.py
(PTC) since they also drive document-processing skills.

Add XDG_CONFIG_HOME=/tmp/.config to the Python env so LibreOffice can
write its first-run profile to a writable location.
diff --git a/docker/nsjail-base.cfg b/docker/nsjail-base.cfg
@@ -211,6 +211,32 @@ mount {
     mandatory: false
 }
 
+# LibreOffice runtime configuration (required by soffice headless)
+mount {
+    src: "/etc/libreoffice"
+    dst: "/etc/libreoffice"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+# Font configuration and font files (required for document rendering)
+mount {
+    src: "/etc/fonts"
+    dst: "/etc/fonts"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/usr/share/fonts"
+    dst: "/usr/share/fonts"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
 # Writable tmpfs for temporary files
 mount {
     dst: "/tmp"
diff --git a/src/services/programmatic.py b/src/services/programmatic.py
@@ -198,7 +198,10 @@ async def start_execution(
                 f"mount -t tmpfs -o size=1k tmpfs /app/ssl && "
                 f"mount -t tmpfs -o size=1k tmpfs /app/dashboard && "
                 f"mount -t tmpfs -o size=1k tmpfs /app/src && "
-                f"mount --bind /var/lib/code-interpreter/empty_proc /proc && "
+                # /proc kept accessible: PTC may invoke LibreOffice (soffice)
+                # for document-processing skills. soffice hard-fails without
+                # /proc. PID namespace inside nsjail still restricts visibility
+                # to sandbox processes.
                 # BUG-007: Ephemeral /tmp with noexec,nosuid,nodev
                 f"mount -t tmpfs -o {noexec_tmpfs}size={tmpfs_size}m,mode=1777 tmpfs /tmp && "
                 # BUG-008: Lock down other writable paths
diff --git a/src/services/sandbox/executor.py b/src/services/sandbox/executor.py
@@ -90,17 +90,17 @@ async def execute_command(
             # Some languages need /proc to function:
             #   - Java needs /proc/self/exe to locate libjli.so.
             #   - Rust needs /proc/self/exe to locate its own binary path.
-            #   - Bash sandboxes are the typical entry point for skills (e.g.,
-            #     the Anthropic pptx/docx/xlsx skills) that shell out to
-            #     LibreOffice (`soffice`) for PDF/image conversion. soffice
-            #     hard-fails with "ERROR: /proc not mounted - LibreOffice is
-            #     unlikely to work well if at all" without /proc.
+            #   - Python and Bash are typical entry points for skills that
+            #     shell out to LibreOffice (`soffice`) for document conversion
+            #     (DOCX/XLSX/PPTX → PDF). soffice hard-fails with "ERROR:
+            #     /proc not mounted - LibreOffice is unlikely to work well if
+            #     at all" without /proc.
             # nsjail still creates a separate PID namespace so the visible
             # /proc is restricted to the sandbox's own processes — main host
             # info disclosure risk is /proc/cpuinfo and /proc/meminfo, which
             # is acceptable in the trusted-tenant model these languages run in.
             lang = sandbox_info.language.lower().strip()
-            if lang in ("java", "rs", "bash"):
+            if lang in ("java", "rs", "py", "python", "bash"):
                 proc_mask = ""
             else:
                 proc_mask = (
@@ -212,6 +212,7 @@ def _build_sanitized_env(self, language: Optional[str]) -> Dict[str, str]:
                     "PYTHONPATH": f"{deps_root}/python:/mnt/data",
                     "MPLCONFIGDIR": "/tmp/mplconfig",
                     "XDG_CACHE_HOME": "/tmp/.cache",
+                    "XDG_CONFIG_HOME": "/tmp/.config",
                     "MPLBACKEND": "Agg",
                 }
             )
diff --git a/src/services/sandbox/nsjail.py b/src/services/sandbox/nsjail.py
@@ -203,12 +203,14 @@ def build_args(
         # Seccomp policy: block dangerous syscalls
         # - ptrace: prevents process inspection/debugging (BUG-006a)
         # - bind: was originally blocked to prevent server sockets even with
-        #   network access (BUG-006c), but bash sandboxes need it for tools
-        #   like LibreOffice which use AF_UNIX sockets internally for IPC.
-        #   Bash has the looser sandboxing model (also gets /proc), so allow
-        #   bind there. For other languages, keep blocking.
+        #   network access (BUG-006c), but the languages that drive
+        #   document-processing skills (Python, Java, Bash) need it for tools
+        #   like LibreOffice which use AF_UNIX sockets internally for IPC
+        #   between oosplash and soffice.bin.
+        #   Network namespace isolation (--iface_no_lo) already prevents
+        #   external connections, so allowing bind on AF_UNIX is safe.
         # Using ERRNO(1) so the process gets EPERM rather than SIGSYS
-        if normalized_lang == "bash":
+        if normalized_lang in ("py", "python", "java", "bash"):
             seccomp_policy = (
                 "POLICY policy { ERRNO(1) { ptrace } } USE policy DEFAULT ALLOW"
             )
diff --git a/src/services/sandbox/pool.py b/src/services/sandbox/pool.py
@@ -407,8 +407,10 @@ async def _start_repl_process(
                 f"mount -t tmpfs -o size=1k tmpfs /app/ssl && "
                 f"mount -t tmpfs -o size=1k tmpfs /app/dashboard && "
                 f"mount -t tmpfs -o size=1k tmpfs /app/src && "
-                # BUG-003: Hide /proc (REPL is Python-only, always safe to mask)
-                f"mount --bind /var/lib/code-interpreter/empty_proc /proc && "
+                # /proc kept accessible: Python REPL may invoke LibreOffice
+                # (soffice) for document-processing skills. soffice hard-fails
+                # without /proc. PID namespace inside nsjail still restricts
+                # visibility to sandbox processes.
                 # BUG-007: Ephemeral /tmp with noexec,nosuid,nodev
                 f"mount -t tmpfs -o {noexec_tmpfs}size={tmpfs_size}m,mode=1777 tmpfs /tmp && "
                 # BUG-008: Lock down other writable paths
