feat(sandbox): Linux bwrap strategy for the Bash tool#124
Merged
emal-avala merged 1 commit intomainfrom Apr 15, 2026
Merged
Conversation
Second platform slice of ROADMAP §7.4 Process-Level Sandboxing.
Wires a bubblewrap-based strategy into the existing SandboxStrategy
trait with no changes to the wiring at call sites — bash.rs still
routes through ctx.sandbox.wrap() exactly as it does for Seatbelt.
bwrap argv structure:
- unshare user/ipc/uts/pid/cgroup namespaces (always)
- unshare net only when allow_network = false
- --die-with-parent so a crashed agent cannot leave sandbox children
- --ro-bind / / for broad read access
- --dev /dev and --proc /proc overlays over the ro-bind base
- --bind <project> <project> for writable project directory
- --bind <path> <path> for each allowed_write_paths entry, with
canonical form emitted when it differs from the raw path (mirrors
seatbelt's symlink handling for /var -> /run style redirection)
- --chdir <cwd> then `--` then the original program and args
Strategy picker:
- auto_detect returns bwrap on Linux when `bwrap` is on $PATH
- pick_strategy("bwrap") works on Linux only; silently degrades to
noop elsewhere (matches the seatbelt-off-macOS behavior)
- sandbox_exec_available() generalized to binary_on_path(name)
- bwrap("bwrap") on macOS / seatbelt on Linux both degrade gracefully
Tests:
- 14 new bwrap unit tests covering namespace flags, network toggling,
ro-bind / /, dev/proc overlays, project and allowed-path binds,
--die-with-parent, --chdir, `--` program terminator, empty lists,
BwrapStrategy name, wrap_command program/cwd/env preservation
- 2 new mod.rs picker tests (auto_detect_on_linux, pick_strategy_bwrap)
- 6 new Linux-gated integration tests mirroring the Seatbelt suite:
blocks writes outside project, allows in-project writes, honors
allowed_write_paths, preserves cwd, bypass gate honored both ways
- macOS suite still green (553 lib unit tests, 9 integration tests)
Forbidden-path masking is still deferred — Seatbelt's `subpath` deny
model doesn't translate directly to bwrap and needs per-file handling.
The current bwrap strategy will need a follow-up for that.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Merged
emal-avala
added a commit
that referenced
this pull request
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Second platform slice of ROADMAP §7.4 Process-Level Sandboxing. Drops a bubblewrap-based strategy into the trait plumbing landed in #120 — no changes to bash.rs or the `ToolContext` wiring.
Argv structure
```
bwrap \
--unshare-user --unshare-ipc --unshare-uts --unshare-pid --unshare-cgroup \
[--unshare-net] # only when allow_network = false \
--die-with-parent \
--ro-bind / / # broad read access \
--dev /dev --proc /proc # clean kernel filesystems \
--bind # writable project root \
--bind # each allowed_write_paths entry \
--chdir \
-- <args...>
```
Canonical-path resolution mirrors the Seatbelt strategy so `/var/run → /run` style redirection on Linux distros does not trap the child in a directory it cannot write to.
Strategy picker
Tests
All six skip gracefully if `bwrap` is not installed on the runner (non-zero chance on minimal CI images).
macOS regression surface
All 9 existing Seatbelt integration tests still pass, plus the 37 sandbox unit tests from the first slice. Workspace totals: 553 lib unit tests (was 538), full clippy -D warnings clean, cargo fmt clean.
Still deferred
Test plan