envseal 0.3.10

Write-only secret vault with process-level access control — post-agent secret management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

//! Process sandbox — OS-level isolation expressed as an abstract tier.
//!
//! The public type is [`SandboxTier`]: an abstract isolation intent
//! ([`None`](SandboxTier::None) / [`Hardened`](SandboxTier::Hardened) /
//! [`Lockdown`](SandboxTier::Lockdown)). Each platform's backend translates
//! that intent into native syscalls. Callers never name platform primitives
//! (namespaces, sandbox profiles, Job Objects) — only the tier they want.
//!
//! # Platform support
//!
//! - **Linux** — Hardened (PID + IPC namespaces) and Lockdown (PID + mount +
//!   network + IPC namespaces). The post-`unshare` private-mount setup runs
//!   from `crate::execution::sandbox_helper` because `mount(2)` is not
//!   async-signal-safe in `pre_exec`.
//! - **macOS** — Hardened (`sandbox_init` `no-internet` profile) and
//!   Lockdown (`pure-computation` profile).
//! - **Windows** — Hardened (Job Object with `KILL_ON_JOB_CLOSE` +
//!   `DIE_ON_UNHANDLED_EXCEPTION`) and Lockdown (Hardened plus
//!   `ACTIVE_PROCESS_LIMIT=1` and full UI restrictions).
//!
//! # Submodules
//!
//! - [`capabilities`] — Runtime OS capability detection.
//! - `linux` (Linux only) — Namespace isolation backend.
//! - `macos` (macOS only) — `sandbox_init` backend.
//! - `windows` (Windows only) — Job Object backend.

use serde::{Deserialize, Serialize};

/// Abstract isolation intent. Each platform backend translates this to its
/// native primitives.
///
/// Stronger tiers strictly include weaker tier protections.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
#[non_exhaustive]
pub enum SandboxTier {
    /// No isolation requested. The child runs with only the always-on
    /// hardening (`env_clear`, `dumpable=0`, `no_new_privs`, `RLIMIT_CORE=0`).
    #[default]
    None,
    /// Process-level isolation. The child cannot see, signal, or attach to
    /// other processes; cannot escape to a parent process group.
    ///
    /// - **Linux**: PID + IPC namespaces (no mount, no network).
    /// - **macOS** *(planned)*: sandbox profile denying `process-info*`.
    /// - **Windows**: Job Object with `KILL_ON_JOB_CLOSE` +
    ///   `DIE_ON_UNHANDLED_EXCEPTION`, breakaway disabled.
    Hardened,
    /// Strongest available isolation. The child cannot reach the network,
    /// cannot write to the filesystem outside an ephemeral scratch space,
    /// and cannot communicate with the parent via shared memory.
    ///
    /// - **Linux**: PID + mount + network + IPC namespaces. The supervisor
    ///   routes the spawn through `crate::execution::sandbox_helper`
    ///   so private `tmpfs`-on-`/tmp` and `MS_PRIVATE` propagation are set
    ///   up inside the new mount namespace.
    /// - **macOS** *(planned)*: sandbox profile denying network and writes
    ///   outside `/tmp`.
    /// - **Windows**: Job Object (`KILL_ON_JOB_CLOSE` +
    ///   `DIE_ON_UNHANDLED_EXCEPTION`) plus `ACTIVE_PROCESS_LIMIT=1` and
    ///   full UI restrictions (`JOB_OBJECT_UILIMIT_*`).
    Lockdown,
}

impl SandboxTier {
    /// Whether any isolation is requested (i.e. anything beyond the
    /// always-on parent hardening).
    #[must_use]
    pub fn any_isolation(self) -> bool {
        !matches!(self, SandboxTier::None)
    }

    /// Stable lowercase name (matches the serialized form).
    #[must_use]
    pub fn as_str(self) -> &'static str {
        match self {
            SandboxTier::None => "none",
            SandboxTier::Hardened => "hardened",
            SandboxTier::Lockdown => "lockdown",
        }
    }

    /// Parse a stable lowercase tier name (matches the serialized form).
    ///
    /// Accepts `"none"`, `"standard"` (alias for `"none"`), `"hardened"`, `"lockdown"`.
    ///
    /// # Errors
    ///
    /// Returns an `Err` containing the offending input when the tier name is unknown.
    pub fn parse(name: &str) -> Result<Self, String> {
        match name {
            "none" | "standard" => Ok(SandboxTier::None),
            "hardened" => Ok(SandboxTier::Hardened),
            "lockdown" => Ok(SandboxTier::Lockdown),
            other => Err(other.to_string()),
        }
    }
}

pub mod capabilities;
pub use capabilities::OsCapabilities;

#[cfg(target_os = "linux")]
pub mod linux;

#[cfg(target_os = "macos")]
pub mod macos;

#[cfg(target_os = "windows")]
pub mod windows;

#[cfg(target_os = "linux")]
pub use linux::{apply_sandbox, user_namespaces_available};

#[cfg(target_os = "macos")]
pub use macos::apply_sandbox;

/// Apply sandbox isolation in a pre-exec context.
///
/// Linux uses namespaces; macOS uses `sandbox_init`. Windows has no
/// `pre_exec` equivalent, so sandboxing is applied to the **child**
/// process at spawn time via [`windows::spawn_in_job`] instead. This
/// function exists for API uniformity: it returns `Ok(())` on Windows
/// so that cross-platform test code and conditional `pre_exec` blocks
/// compile without extra `cfg` gates. The actual confinement happens
/// through `spawn_in_job` before the child's first instruction runs.
///
/// # Errors
///
/// On Linux: namespace `unshare` errors. On macOS: `sandbox_init` errors.
/// On Windows: never errors — the no-op here is by design; real isolation
/// is enforced at child-spawn time.
#[cfg(not(any(target_os = "linux", target_os = "macos")))]
pub fn apply_sandbox(tier: SandboxTier) -> std::io::Result<()> {
    // Windows applies Job Object limits via `spawn_in_job` / `apply_to_process`
    // at child creation time, not in a `pre_exec` closure. Returning Ok
    // keeps the cross-platform API uniform while ensuring callers that
    // use `spawn_in_job` get real isolation.
    let _ = tier;
    Ok(())
}

/// Whether unprivileged user namespaces are available.
///
/// Always `false` off Linux — namespaces don't exist on macOS/Windows.
#[cfg(not(target_os = "linux"))]
#[must_use]
pub fn user_namespaces_available() -> bool {
    false
}

#[cfg(test)]
mod tests {
    use super::SandboxTier;

    #[test]
    fn apply_sandbox_none_never_panics() {
        // apply_sandbox is designed for pre_exec contexts; on Linux it
        // calls unshare, on macOS sandbox_init, on Windows it returns
        // Ok(()) for None. We can safely call it here because None is
        // a no-op on every platform.
        assert!(super::apply_sandbox(SandboxTier::None).is_ok());
    }

    #[test]
    fn sandbox_tier_parse_roundtrip() {
        for tier in [
            SandboxTier::None,
            SandboxTier::Hardened,
            SandboxTier::Lockdown,
        ] {
            let parsed = SandboxTier::parse(tier.as_str()).unwrap();
            assert_eq!(parsed, tier);
        }
    }

    #[test]
    fn sandbox_tier_standard_alias_is_none() {
        assert_eq!(SandboxTier::parse("standard").unwrap(), SandboxTier::None);
    }

    #[test]
    fn sandbox_tier_any_isolation() {
        assert!(!SandboxTier::None.any_isolation());
        assert!(SandboxTier::Hardened.any_isolation());
        assert!(SandboxTier::Lockdown.any_isolation());
    }
}