OS-level command confinement for the Bash tool.
When a run is confined (ExAthena.ToolContext.allowed_roots is set), shell
commands are wrapped so they cannot write outside the roots:
- macOS —
sandbox-execwith a generated SBPL profile that allows reads, exec and network but denies all writes except under the roots and the OS temp dir. - Linux —
bwrap(bubblewrap): the whole filesystem mounted read-only, the roots and the temp dir bind-mounted read-write.
Reads and network stay open — that's the FS write boundary, not a full jail
(network egress is handled separately by the web tools' SSRF guard). The OS
temp dir stays writable so ordinary toolchains (compilers, mktemp) work.
Where no sandbox helper is available the command is returned unwrapped and
the caller is expected to warn: we never fake confinement with a command-string
scan (trivially bypassed via subshells/eval), so it's real-sandbox-or-nothing.
Summary
Functions
Whether an OS sandbox helper is available on this host.
Build the argv to run command confined to roots with working dir cwd.
Functions
@spec available?() :: boolean()
Whether an OS sandbox helper is available on this host.
@spec wrap(String.t(), [Path.t()], Path.t()) :: {:ok, {String.t(), [String.t()]}} | {:unavailable, {String.t(), [String.t()]}}
Build the argv to run command confined to roots with working dir cwd.
Returns {:ok, {executable, args}} when an OS sandbox is available, or
{:unavailable, {executable, args}} (the bare sh -c command) otherwise.