proc_jail 0.1.0

Process execution guard for agentic systems
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299

//! Integration tests for proc_jail.
//!
//! These tests verify end-to-end behavior with real binaries.

use proc_jail::{
    ArgRules, CwdPolicy, EnvPolicy, InjectDoubleDash, ProcPolicy, ProcRequest, RiskyBinPolicy,
    Violation,
};
use std::time::Duration;

/// Helper to create a grep policy for testing.
fn grep_policy() -> ProcPolicy {
    ProcPolicy::builder()
        .allow_bin("/usr/bin/grep")
        .arg_rules(
            "/usr/bin/grep",
            ArgRules::new()
                .allowed_flags(&["-n", "-i", "-l", "-c", "-r", "-E", "--color=never"])
                .max_flags(5)
                .max_positionals(10)
                .inject_double_dash(InjectDoubleDash::AfterFlags),
        )
        .env_policy(EnvPolicy::LocaleOnly)
        .cwd_policy(CwdPolicy::fixed("/tmp"))
        .timeout(Duration::from_secs(5))
        .build()
        .expect("valid policy")
}

#[tokio::test]
async fn test_grep_basic_execution() {
    let policy = grep_policy();

    // Create a temp file
    let content = "hello world\nfoo bar\nhello again\n";
    let tmp_file = "/tmp/proc_jail_test_grep.txt";
    std::fs::write(tmp_file, content).unwrap();

    let request = ProcRequest::new(
        "/usr/bin/grep",
        vec!["-n".to_string(), "hello".to_string(), tmp_file.to_string()],
    );

    let prepared = policy.prepare(request).unwrap();
    let output = prepared.spawn().await.unwrap();

    assert!(output.success());
    let stdout = output.stdout_string();
    assert!(stdout.contains("1:hello world"));
    assert!(stdout.contains("3:hello again"));

    std::fs::remove_file(tmp_file).ok();
}

#[tokio::test]
async fn test_double_dash_injection_works() {
    let policy = grep_policy();

    // Create a temp file
    let tmp_file = "/tmp/proc_jail_dd_test.txt";
    std::fs::write(tmp_file, "test content\n").unwrap();

    // Normal pattern that doesn't look like a flag
    let request = ProcRequest::new(
        "/usr/bin/grep",
        vec!["-n".to_string(), "test".to_string(), tmp_file.to_string()],
    );

    let prepared = policy.prepare(request).unwrap();

    // Verify -- was injected between flags and positionals
    let argv = prepared.argv();
    assert!(
        argv.contains(&"--".to_string()),
        "Expected -- to be inserted"
    );

    // The argv should be: ["-n", "--", "test", tmp_file]
    let dash_pos = argv.iter().position(|x| x == "--").unwrap();
    let n_pos = argv.iter().position(|x| x == "-n").unwrap();
    assert!(n_pos < dash_pos, "Flag should come before --");

    std::fs::remove_file(tmp_file).ok();
}

#[tokio::test]
async fn test_shell_injection_prevented() {
    let policy = grep_policy();

    // Create a temp file to search
    let tmp_file = "/tmp/proc_jail_injection_test.txt";
    std::fs::write(tmp_file, "test content").unwrap();

    // Try to inject shell command via pattern
    let malicious_query = "test'; rm -rf /tmp/important; echo '";

    let request = ProcRequest::new(
        "/usr/bin/grep",
        vec![
            "-n".to_string(),
            malicious_query.to_string(),
            tmp_file.to_string(),
        ],
    );

    let prepared = policy.prepare(request).unwrap();
    let output = prepared.spawn().await.unwrap();

    // The "injection" is just a literal pattern - grep won't find it
    // But importantly, no shell commands were executed
    assert!(output.stdout_string().is_empty() || !output.success());

    std::fs::remove_file(tmp_file).ok();
}

#[tokio::test]
async fn test_binary_not_allowed() {
    let policy = grep_policy();

    // Try to run a binary not in the allowlist
    let request = ProcRequest::new("/bin/ls", vec![]);

    let result = policy.prepare(request);
    assert!(matches!(result, Err(Violation::BinNotAllowed { .. })));
}

#[tokio::test]
async fn test_risky_binary_denied() {
    // Policy without RiskyBinPolicy::Disabled
    let policy = ProcPolicy::builder()
        .allow_bin("/bin/bash")
        .arg_rules("/bin/bash", ArgRules::new())
        .build()
        .unwrap();

    let request = ProcRequest::new("/bin/bash", vec![]);
    let result = policy.prepare(request);

    assert!(matches!(result, Err(Violation::BinRiskyDenied { .. })));
}

#[tokio::test]
async fn test_flag_not_allowed() {
    let policy = grep_policy();

    // -f (file) is not in the allowlist
    let request = ProcRequest::new(
        "/usr/bin/grep",
        vec!["-f".to_string(), "/etc/passwd".to_string()],
    );

    let result = policy.prepare(request);
    assert!(matches!(result, Err(Violation::ArgFlagNotAllowed { .. })));
}

#[tokio::test]
async fn test_timeout_kills_process() {
    // Create a policy with very short timeout
    let policy = ProcPolicy::builder()
        .allow_bin("/bin/sleep")
        .arg_rules("/bin/sleep", ArgRules::new().max_positionals(1))
        .timeout(Duration::from_millis(100))
        .build()
        .unwrap();

    let request = ProcRequest::new("/bin/sleep", vec!["10".to_string()]);
    let prepared = policy.prepare(request).unwrap();
    let result = prepared.spawn().await;

    assert!(matches!(result, Err(proc_jail::ExecError::Timeout { .. })));
}

#[tokio::test]
async fn test_symlink_resolves_to_allowlist() {
    use std::os::unix::fs::symlink;

    // Create a symlink to grep
    let link_path = "/tmp/proc_jail_grep_link";
    let _ = std::fs::remove_file(link_path);

    // On macOS, grep is at /usr/bin/grep
    symlink("/usr/bin/grep", link_path).unwrap();

    // Policy allows /usr/bin/grep
    let policy = grep_policy();

    // Request via symlink should work (resolves to allowed binary)
    let request = ProcRequest::new(link_path, vec!["--help".to_string()]);

    // This should fail because --help is not in our allowed flags
    let result = policy.prepare(request);
    assert!(matches!(result, Err(Violation::ArgFlagNotAllowed { .. })));

    std::fs::remove_file(link_path).ok();
}

#[tokio::test]
async fn test_env_policy_empty() {
    let policy = ProcPolicy::builder()
        .allow_bin("/usr/bin/env")
        .arg_rules("/usr/bin/env", ArgRules::new().max_positionals(0))
        .risky_bin_policy(RiskyBinPolicy::Disabled) // env is risky
        .env_policy(EnvPolicy::Empty)
        .build()
        .unwrap();

    let request = ProcRequest::new("/usr/bin/env", vec![]);
    let prepared = policy.prepare(request).unwrap();
    let output = prepared.spawn().await.unwrap();

    // With empty env, /usr/bin/env should print nothing
    assert!(output.stdout_string().is_empty());
}

#[tokio::test]
async fn test_env_policy_locale_only() {
    let policy = ProcPolicy::builder()
        .allow_bin("/usr/bin/env")
        .arg_rules("/usr/bin/env", ArgRules::new().max_positionals(0))
        .risky_bin_policy(RiskyBinPolicy::Disabled)
        .env_policy(EnvPolicy::LocaleOnly)
        .build()
        .unwrap();

    let request = ProcRequest::new("/usr/bin/env", vec![]);
    let prepared = policy.prepare(request).unwrap();
    let output = prepared.spawn().await.unwrap();

    let stdout = output.stdout_string();
    assert!(stdout.contains("LANG=C.UTF-8"));
    assert!(stdout.contains("LC_ALL=C.UTF-8"));
}

#[tokio::test]
async fn test_subcommand_pinning() {
    // This test requires git to be installed
    if !std::path::Path::new("/usr/bin/git").exists() {
        return;
    }

    // Use "version" (without --) as subcommand since subcommands are positional
    // Actually git doesn't have a "version" subcommand, let's use "status"
    let policy = ProcPolicy::builder()
        .allow_bin("/usr/bin/git")
        .arg_rules(
            "/usr/bin/git",
            ArgRules::new()
                .subcommand("status")
                .allowed_flags(&["--porcelain", "-s"])
                .max_flags(2)
                .max_positionals(0),
        )
        .cwd_policy(CwdPolicy::fixed("/tmp"))
        .build()
        .unwrap();

    // Wrong subcommand rejected
    let request = ProcRequest::new("/usr/bin/git", vec!["push".to_string()]);
    let result = policy.prepare(request);
    assert!(matches!(
        result,
        Err(Violation::ArgSubcommandMismatch { .. })
    ));

    // Correct subcommand accepted (might fail at runtime if /tmp isn't a git repo, but prepare succeeds)
    let request = ProcRequest::new("/usr/bin/git", vec!["status".to_string()]);
    let result = policy.prepare(request);
    assert!(result.is_ok());
}

#[tokio::test]
async fn test_positional_with_dash_like_content() {
    // Test that content that looks like a flag is properly handled as positional after --
    let policy = grep_policy();

    // Create a temp file
    let tmp_file = "/tmp/proc_jail_dash_content.txt";
    std::fs::write(tmp_file, "-e\n--verbose\n--help\n").unwrap();

    // Search for literal "-e" in the file
    let request = ProcRequest::new(
        "/usr/bin/grep",
        vec![
            "-n".to_string(),
            "--".to_string(),
            "-e".to_string(),
            tmp_file.to_string(),
        ],
    );

    // This should work because -- is already present, and -e after -- is positional
    let prepared = policy.prepare(request).unwrap();
    let output = prepared.spawn().await.unwrap();

    assert!(output.success());
    assert!(output.stdout_string().contains("1:-e"));

    std::fs::remove_file(tmp_file).ok();
}