Expand description
The real local-filesystem SessionEnv.
Tools run against a real directory on disk via tokio::fs +
tokio::process. Confinement is fd-anchored: every read, write, search,
and exec cwd is resolved off a single held root fd via openat
per-component walks with O_NOFOLLOW + an authoritative fstat on the
opened leaf fd. There is no canonicalize-then-contain step in any data path,
so a symlink/hardlink swapped between the containment check and the operation
cannot redirect a read (exfil) or a write/exec (data loss).
See SECURITY.md: this is not an OS-level sandbox (no chroot/landlock/
UID separation). The fd-anchoring closes the TOCTOU class the path-based
resolve() had; it does not turn this into a security boundary against a
determined adversary until OS isolation lands.
Structsยง
- Local
Session Env - A
SessionEnvbacked by a real local directory.