sboxd 0.1.7

Policy-driven command runner for sandboxed dependency installation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

# Network Security

> **The key risk:** enabling network for package downloads also enables postinstall scripts to reach the internet. There is no perfect solution. The options below explain the trade-offs clearly so you can make an informed choice.

---

## Why this is hard

`npm install` does two things inside the same process:

1. **Download** — fetches tarballs from the registry. Needs the internet.
2. **Postinstall** — runs arbitrary scripts from the downloaded packages. Should not have the internet.

If you run the whole install with `network: off`, npm cannot download anything. If you use `network: on`, postinstall scripts can send your environment variables to an attacker's server. Both options happen inside the same container.

The Axios supply chain attack (March 2026) is exactly this scenario: a malicious postinstall hook used the network to exfiltrate credentials from the developer's environment. A sandboxed install with `network: off` would have made that exfiltration impossible — but only if the packages were already available locally.

---

## Option 1 — `network: off` with local packages

**Strongest isolation. No exfiltration possible.**

The container has no network stack at all. DNS fails. TCP/UDP connections fail immediately with `ENETUNREACH`. There is no loopback interface.

```yaml
profiles:
  install:
    mode: sandbox
    network: off
```

This works when packages are already local: a vendored `node_modules/`, a pre-fetched cache volume, a `.tgz` tarball, or a private registry running on localhost.

In CI pipelines that pre-populate a cache layer before the sandboxed install step, this is the recommended approach. First warm the cache (on the host or in a separate step with network on), then run the install with `network: off` against the cache.

**When to use:** CI with a warm cache, vendored dependencies, local development after the first install.

---

## Option 2 — `network_allow` with a registry allowlist

**Practical for most teams. Blocks common exfiltration patterns.**

Allow only specific registries. Postinstall scripts cannot reach arbitrary hosts.

```yaml
profiles:
  install:
    mode: sandbox
    network: on
    network_allow:
      - "*.npmjs.org"
```

**How it works under the hood:**

sbox points the container's DNS resolver at a non-routable address (`192.0.2.1`). Any hostname lookup that is not on the allowlist times out — the container never gets an IP for it.

For hostnames on the allowlist, sbox resolves them on the host at plan time and injects the IPs directly into the container's `/etc/hosts` via `--add-host`. The container can reach `registry.npmjs.org` because its IP is already there, bypassing DNS entirely. `evil.attacker.com` never gets resolved.

You can see what was resolved by running `sbox plan`:

```
network_allow: [resolved] registry.npmjs.org=104.x.x.x, npmjs.org=104.x.x.x; [patterns] *.npmjs.org
```

**The gap:** a postinstall script that hardcodes an IP address bypasses DNS entirely. If an attacker controls a script and knows a reachable IP — including a cloud metadata endpoint like `169.254.169.254` — `network_allow` does not stop it. For that level of protection, you need `network: off` or a kernel-level firewall.

**When to use:** most teams doing live installs from a public registry. Covers the vast majority of real postinstall exfiltration attempts, which use domain names, not hardcoded IPs.

### Allowlists by ecosystem

**npm / pnpm / yarn:**
```yaml
network_allow:
  - "*.npmjs.org"
  - "*.yarnpkg.com"
```

**Python (pip / uv / poetry):**
```yaml
network_allow:
  - "*.pypi.org"
  - files.pythonhosted.org
```

**Rust (cargo):**
```yaml
network_allow:
  - "*.crates.io"
  - static.crates.io
```

**Go modules:**
```yaml
network_allow:
  - proxy.golang.org
  - sum.golang.org
```

### Pattern expansion

For well-known package registry domains, sbox expands wildcard patterns to the full set of known subdomains before resolving. `*.npmjs.org` resolves `registry.npmjs.org`, `npmjs.org`, and `www.npmjs.org` — not just the bare `npmjs.org`. This prevents the case where a CDN serves the registry content from a subdomain that a naive single-host allowlist would miss.

Built-in expansion tables cover npm, yarn, PyPI, crates.io, Go, RubyGems, Maven, GitHub, and the major OCI registries.

---

## Option 3 — Two-phase install (strongest with live downloads)

**The right answer if you need both live downloads and strong postinstall isolation.**

Run the download and postinstall execution as separate steps with different network policies.

**Phase 1 — download without scripts** (network allowed, scripts disabled):

```bash
npm install --ignore-scripts
```

npm fetches all packages but skips every postinstall, prepare, and build script. No untrusted code runs.

**Phase 2 — run scripts without network** (network off):

```bash
npm rebuild
```

npm runs the install scripts against the already-downloaded packages. The network is off, so scripts cannot exfiltrate anything.

Model this in sbox with two profiles:

```yaml
profiles:
  download:
    mode: sandbox
    network: on
    network_allow:
      - "*.npmjs.org"
    writable: true
    no_new_privileges: true

  scripts:
    mode: sandbox
    network: off
    writable: true
    no_new_privileges: true

dispatch:
  npm-download:
    match:
      - "npm install --ignore-scripts*"
    profile: download

  npm-rebuild:
    match:
      - "npm rebuild*"
    profile: scripts
```

Usage:

```bash
sbox run -- npm install --ignore-scripts   # downloads, no postinstall
sbox run -- npm rebuild                    # runs postinstall, no network
```

**The gap:** some packages use `prepare` scripts that genuinely need to compile native code or run build steps during install. Those may fail without network if they try to download build tools. In practice, most packages work fine with `--ignore-scripts` + `npm rebuild`.

---

## Comparison

| | `network: off` | `network_allow` | Two-phase |
|--|----------------|-----------------|-----------|
| Live downloads | No | Yes | Yes |
| Blocks domain-based exfil | Yes | Yes | Yes (phase 2) |
| Blocks hardcoded-IP exfil | Yes | No | Yes (phase 2) |
| Complexity | Low | Low | Medium |
| Works without cache | No | Yes | Yes |

For most teams: **start with `network_allow`** pointing at your registry. If you need stronger guarantees, move to two-phase. If you have a cache, use `network: off`.