landstrip 0.8.6

Sandbox for coding agents with parametrized state
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

// SPDX-License-Identifier: LGPL-2.1-or-later
// Copyright (c) 2026 Jarkko Sakkinen

//! Linux sandbox backend using Landlock and seccomp.

mod fd;
mod landlock;
mod seccomp;

use crate::error::{Error, Result};
use crate::policy::AccessPolicy;
use fd::close_inherited_fds;
use landlock::enforce_access_policy;
use seccomp::NetworkFilter;
use std::ffi::{OsStr, OsString};
use std::os::unix::process::CommandExt;
use std::path::Path;
use std::process::{self, Command};

pub(crate) fn execute(
    policy: &AccessPolicy,
    _policy_base: &Path,
    command: &OsStr,
    args: &[OsString],
) -> Result<()> {
    let network = &policy.network_access;
    let unrestricted_network = network.is_unrestricted();

    if !unrestricted_network
        && (network.local_tcp_bind
            || !network.connect_tcp_ports.is_empty()
            || seccomp::needs_unix_socket_broker(&network.unix_socket_access))
    {
        let status = seccomp::run_network_broker(policy, command, args)?;
        process::exit(status);
    }

    enforce_access_policy(policy)?;

    if !unrestricted_network {
        let filter = seccomp::network_filter(NetworkFilter {
            notify_bind: false,
            notify_connect: false,
            unix_sockets: seccomp::unix_socket_filter(&network.unix_socket_access),
        })?;
        filter.load()?;
    }
    close_inherited_fds();
    let error = Command::new(command).args(args).exec();
    Err(Error::Exec {
        command: command.to_os_string(),
        error,
    })
}