Expand description
Linux sandbox strategy using bwrap (bubblewrap).
Builds an argv that namespace-isolates the child process:
- user, IPC, UTS, PID, cgroup namespaces are always unshared
- network namespace is unshared only when
allow_networkis false - the host filesystem is bind-mounted read-only at
/ /devand/procare overlaid with clean views- the project directory and every
allowed_write_pathsentry are rw-bind-mounted on top of the read-only base --die-with-parentensures the sandbox dies with the agent
Forbidden-path masking (~/.ssh etc.) is deferred to a follow-up
PR — bwrap does not support the seatbelt subpath deny model
directly and needs per-file handling. For now, forbidden paths are
logged but not enforced by this strategy; callers that need secret
masking should rely on the in-process permission system until the
follow-up lands.
Structs§
- Bwrap
Strategy - Linux bubblewrap strategy. See module docs.