Sandbox Executor Implementation

[dhvll]

Implements a secure sandboxed command execution layer for Cortex Linux. AI-generated commands are executed in an isolated environment with comprehensive security controls, resource limits, and audit logging.

Usage Examples

Basic Execution

from sandbox_executor import SandboxExecutor

executor = SandboxExecutor()
result = executor.execute('echo "Hello from sandbox"')
print(result.stdout)  # Hello from sandbox
print(result.success)  # True

Security Blocking

from sandbox_executor import SandboxExecutor, CommandBlocked

executor = SandboxExecutor()
try:
    executor.execute('rm -rf /')
except CommandBlocked as e:
    print(f"Blocked: {e}")  # Dangerous command correctly blocked

Dry-Run Mode

executor = SandboxExecutor()
result = executor.execute('apt-get update', dry_run=True)
print(result.preview)  # Shows full Firejail command that would execute

Command Validation

executor = SandboxExecutor()
is_valid, reason = executor.validate_command('python3 --version')
if is_valid:
    print("Command allowed")
else:
    print(f"Blocked: {reason}")

With Rollback

executor = SandboxExecutor(enable_rollback=True)
result = executor.execute('pip install some-package')
if result.failed:
    # Changes automatically rolled back
    print("Command failed, changes reverted")

Audit Logging

executor = SandboxExecutor()
executor.execute('echo test1')
executor.execute('echo test2')

# Get audit log
audit_log = executor.get_audit_log()
for entry in audit_log:
    print(f"{entry['timestamp']}: {entry['command']}")

# Export to JSON
executor.save_audit_log('audit.json')

Custom Resource Limits

executor = SandboxExecutor(
    max_cpu_cores=1,
    max_memory_mb=1024,
    max_disk_mb=512,
    timeout_seconds=60
)
result = executor.execute('python3 script.py')

Sudo Commands (Package Installation Only)

executor = SandboxExecutor()

# Allowed: Package installation
is_valid, _ = executor.validate_command('sudo apt-get install python3')
print(is_valid)  # True

# Blocked: Destructive operations
is_valid, reason = executor.validate_command('sudo rm -rf /')
print(is_valid)  # False

CLI Usage

# Basic command execution
python3 sandbox_executor.py "echo Hello from Cortex"
# Output: Hello from Cortex

# Execute Python script
python3 sandbox_executor.py "python3 -c 'print(\"Hello\")'"
# Output: Hello

# Dry-run mode (preview without execution)
python3 sandbox_executor.py "apt-get update" --dry-run
# Output: [DRY-RUN] Would execute: /bin/firejail ... apt-get update

# Custom timeout (in seconds, default is 300)
python3 sandbox_executor.py "long-running-command" --timeout 600

# Disable rollback
python3 sandbox_executor.py "pip install package" --no-rollback

# Execute with default settings (5 min timeout, rollback enabled)
python3 sandbox_executor.py "git clone https://github.com/user/repo"

# Check command validation (will show blocked if dangerous)
python3 sandbox_executor.py "rm -rf /"
# Output: Command blocked: Dangerous pattern detected: rm\s+-rf\s+[/\*]
# Exit code: 1

# Execute package installation command
python3 sandbox_executor.py "sudo apt-get install python3-pip"

# Execute with output redirection
python3 sandbox_executor.py "echo test" > output.txt

# Chain commands (using shell)
python3 sandbox_executor.py "echo test1" && python3 sandbox_executor.py "echo test2"

# View help
python3 sandbox_executor.py --help

Screencast.from.09-11-25.01.03.39.AM.IST.webm

/closes #2

[mikejmorgan-ai]

Excellent work @DHVil! This is exactly what we needed.

✅ All requirements met
✅ Security features implemented
✅ Documentation included
✅ Video demonstration provided

Merging now. $500 bounty will be paid within 3 days to your PayPal/Venmo.

Please DM me on Discord (discord.gg/uCqHvxjU83) or email mike@cortexlinux.com with payment details.

Welcome to the Cortex Linux core team! 🎉