Expand description
Security sandbox system providing TOCTOU-safe file operations and process isolation.
This module provides comprehensive security controls:
- TOCTOU-safe path resolution using
openat()withO_NOFOLLOW - Symlink attack prevention with depth limiting
- AST-based bash command analysis
- Environment variable sanitization
- Process resource limits via
setrlimit - OS-level sandboxing (Landlock on Linux, Seatbelt on macOS)
Re-exports§
pub use fs::SecureFileHandle;pub use fs::SecureFs;pub use guard::SecurityGuard;pub use limits::ResourceLimits;pub use path::SafePath;pub use policy::SecurityPolicy;pub use sandbox::DomainCheck;pub use sandbox::NetworkConfig;pub use sandbox::NetworkSandbox;pub use sandbox::Sandbox;pub use sandbox::SandboxConfig;
Modules§
- bash
- Bash command security analysis using tree-sitter AST parsing.
- fs
- Secure filesystem operations with TOCTOU protection.
- guard
- SecurityGuard: Pre-execution input validation for tools.
- limits
- Process resource limits using setrlimit.
- path
- TOCTOU-safe path handling with symlink protection.
- policy
- Security policy configuration.
- sandbox
- OS-level sandboxing for secure command execution.