ExAthena.Sandbox (ExAthena v0.17.0)

Copy Markdown View Source

OS-level command confinement for the Bash tool.

When a run is confined (ExAthena.ToolContext.allowed_roots is set), shell commands are wrapped so they cannot write outside the roots:

  • macOSsandbox-exec with a generated SBPL profile that allows reads, exec and network but denies all writes except under the roots and the OS temp dir.
  • Linuxbwrap (bubblewrap): the whole filesystem mounted read-only, the roots and the temp dir bind-mounted read-write.

Reads and network stay open — that's the FS write boundary, not a full jail (network egress is handled separately by the web tools' SSRF guard). The OS temp dir stays writable so ordinary toolchains (compilers, mktemp) work.

Where no sandbox helper is available the command is returned unwrapped and the caller is expected to warn: we never fake confinement with a command-string scan (trivially bypassed via subshells/eval), so it's real-sandbox-or-nothing.

Summary

Functions

Whether an OS sandbox helper is available on this host.

Build the argv to run command confined to roots with working dir cwd.

Functions

available?()

@spec available?() :: boolean()

Whether an OS sandbox helper is available on this host.

wrap(command, roots, cwd)

@spec wrap(String.t(), [Path.t()], Path.t()) ::
  {:ok, {String.t(), [String.t()]}} | {:unavailable, {String.t(), [String.t()]}}

Build the argv to run command confined to roots with working dir cwd.

Returns {:ok, {executable, args}} when an OS sandbox is available, or {:unavailable, {executable, args}} (the bare sh -c command) otherwise.