kernex-sandbox 0.4.0

OS-level sandboxing for AI agent subprocesses (Seatbelt on macOS, Landlock on Linux)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

//! macOS Seatbelt (sandbox-exec) enforcement — blocklist approach.
//!
//! Denies writes to dangerous system directories and the runtime's core database.
//! Denies reads to the runtime's core data directory and config file.
//! Everything else is allowed by default.

use std::path::Path;
use tokio::process::Command;
use tracing::warn;

/// Path to the sandbox-exec binary (built into macOS).
const SANDBOX_EXEC: &str = "/usr/bin/sandbox-exec";

/// Generate a Seatbelt profile that blocks writes and reads to dangerous locations.
///
/// Blocklist approach: allow everything, deny specific dangerous paths.
/// `data_dir` is the runtime data directory (e.g. `~/.kernex/`).
/// - Writes to system dirs and `{data_dir}/data/` are denied.
/// - Reads to `{data_dir}/data/` and `{data_dir}/config.toml` are denied.
fn build_profile(data_dir: &Path, profile: &crate::SandboxProfile) -> String {
    let data_data = data_dir.join("data");
    let data_data_str = data_data.display();
    let config_file = data_dir.join("config.toml");
    let config_str = config_file.display();

    let mut deny_writes = format!(
        r#"  (subpath "/System")
  (subpath "/bin")
  (subpath "/sbin")
  (subpath "/usr/bin")
  (subpath "/usr/sbin")
  (subpath "/usr/lib")
  (subpath "/usr/libexec")
  (subpath "/private/etc")
  (subpath "/Library")
  (subpath "{data_data_str}")
  (literal "{config_str}")
"#
    );

    let mut deny_reads = format!(
        r#"  (subpath "{data_data_str}")
  (literal "{config_str}")
"#
    );

    for blocked in &profile.blocked_paths {
        let blocked_str = blocked.display();
        deny_writes.push_str(&format!("  (subpath \"{blocked_str}\")\n"));
        deny_reads.push_str(&format!("  (subpath \"{blocked_str}\")\n"));
    }

    format!(
        "(version 1)\n\
        (allow default)\n\
        (deny file-write*\n{deny_writes})\n\
        (deny file-read*\n{deny_reads})\n"
    )
}

/// Build a [`Command`] wrapped with `sandbox-exec` write and read restrictions.
///
/// Blocklist: denies writes to system directories + `{data_dir}/data/`;
/// denies reads to `{data_dir}/data/` and `{data_dir}/config.toml`.
/// Everything else (home dir, /tmp, /usr/local, etc.) is accessible.
///
/// If `/usr/bin/sandbox-exec` does not exist, logs a warning and returns
/// a plain command without OS-level enforcement.
pub(crate) fn protected_command(
    program: &str,
    data_dir: &Path,
    profile: &crate::SandboxProfile,
) -> Command {
    if !Path::new(SANDBOX_EXEC).exists() {
        warn!("sandbox-exec not found at {SANDBOX_EXEC}; falling back to code-level protection");
        return Command::new(program);
    }

    let built_profile = build_profile(data_dir, profile);
    let mut cmd = Command::new(SANDBOX_EXEC);
    cmd.arg("-p").arg(built_profile).arg("--").arg(program);
    cmd
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::path::PathBuf;

    #[test]
    fn test_profile_blocks_system_dirs() {
        let data_dir = PathBuf::from("/home/user/.kernex");
        let profile_obj = crate::SandboxProfile::default();
        let profile = build_profile(&data_dir, &profile_obj);
        assert!(profile.contains("(deny file-write*"));
        assert!(profile.contains(r#"(subpath "/System")"#));
        assert!(profile.contains(r#"(subpath "/bin")"#));
        assert!(profile.contains(r#"(subpath "/sbin")"#));
        assert!(profile.contains(r#"(subpath "/usr/bin")"#));
        assert!(profile.contains(r#"(subpath "/usr/sbin")"#));
        assert!(profile.contains(r#"(subpath "/usr/lib")"#));
        assert!(profile.contains(r#"(subpath "/usr/libexec")"#));
        assert!(profile.contains(r#"(subpath "/private/etc")"#));
        assert!(profile.contains(r#"(subpath "/Library")"#));
    }

    #[test]
    fn test_profile_blocks_data_dir() {
        let data_dir = PathBuf::from("/home/user/.kernex");
        let profile_obj = crate::SandboxProfile::default();
        let profile = build_profile(&data_dir, &profile_obj);
        assert!(
            profile.contains("/home/user/.kernex/data"),
            "should block data dir (memory.db)"
        );
    }

    #[test]
    fn test_profile_allows_usr_local() {
        let data_dir = PathBuf::from("/tmp/ws");
        let profile_obj = crate::SandboxProfile::default();
        let profile = build_profile(&data_dir, &profile_obj);
        assert!(
            !profile.contains(r#"(subpath "/usr/local")"#),
            "/usr/local should not be blocked"
        );
    }

    #[test]
    fn test_profile_allows_by_default() {
        let data_dir = PathBuf::from("/tmp/ws");
        let profile_obj = crate::SandboxProfile::default();
        let profile = build_profile(&data_dir, &profile_obj);
        assert!(
            profile.contains("(allow default)"),
            "should allow everything by default"
        );
    }

    #[test]
    fn test_profile_blocks_data_dir_reads() {
        let data_dir = PathBuf::from("/home/user/.kernex");
        let profile_obj = crate::SandboxProfile::default();
        let profile = build_profile(&data_dir, &profile_obj);
        assert!(
            profile.contains("(deny file-read*"),
            "should have file-read* deny"
        );
        let read_deny_pos = profile.find("(deny file-read*").unwrap();
        let after_read = &profile[read_deny_pos..];
        assert!(
            after_read.contains("/home/user/.kernex/data"),
            "should block reads to data dir"
        );
    }

    #[test]
    fn test_profile_blocks_config_writes() {
        let data_dir = PathBuf::from("/home/user/.kernex");
        let profile_obj = crate::SandboxProfile::default();
        let profile = build_profile(&data_dir, &profile_obj);
        let write_deny_pos = profile.find("(deny file-write*").unwrap();
        let read_deny_pos = profile.find("(deny file-read*").unwrap();
        let write_section = &profile[write_deny_pos..read_deny_pos];
        assert!(
            write_section.contains("config.toml"),
            "should block writes to config.toml"
        );
    }

    #[test]
    fn test_profile_blocks_config_reads() {
        let data_dir = PathBuf::from("/home/user/.kernex");
        let profile_obj = crate::SandboxProfile::default();
        let profile = build_profile(&data_dir, &profile_obj);
        assert!(
            profile.contains(r#"(literal "/home/user/.kernex/config.toml")"#),
            "should block reads to config.toml"
        );
    }

    #[test]
    fn test_command_structure() {
        let data_dir = PathBuf::from("/tmp/ws");
        let profile = crate::SandboxProfile::default();
        let cmd = protected_command("claude", &data_dir, &profile);
        let program = cmd.as_std().get_program().to_string_lossy().to_string();
        assert!(
            program.contains("sandbox-exec") || program.contains("claude"),
            "unexpected program: {program}"
        );
    }
}