Skip to main content

Module process_sandbox

Module process_sandbox 

Source
Expand description

Public re-exports of the platform-specific process sandbox primitives.

Embedders that spawn subprocesses on behalf of Harn scripts (today: the harn-hostlib deterministic-tool builtins) must funnel every spawn through these helpers so the active orchestration capability policy is enforced — Linux seccomp/landlock filters via pre_exec, macOS sandbox-exec wrapping, Windows AppContainer + Job Object launches through command_output, plus workspace-root cwd enforcement.

The same surface also exposes check_fs_path_scope so embedders that resolve host paths on behalf of Harn scripts (the harn-hostlib fs/*, tools/*, and ast/* builtins) can enforce the active policy’s workspace-root scope without depending on VmError.

The helpers themselves live next to the rest of the sandbox state in [crate::stdlib::sandbox]. This module exists so external crates have a stable, documented surface to depend on without reaching into stdlib::* plumbing.

Structs§

ProcessCommandConfig
ProcessSandboxScope
ProcessSandboxScopeGuard
SandboxViolation
A workspace-root scope violation: a path that resolved outside every configured workspace root under a restricted SandboxProfile.

Enums§

FsAccess
The kind of filesystem access a path-scope check is guarding. This drives the verb rendered in rejection messages and the narrow standard-device exception; ordinary files are otherwise scoped by the same workspace roots.

Constants§

MESSAGE_LOCALE_OVERRIDE_ENV
The environment variable a user-inherited value of which would override deterministic_message_locale_env’s LC_MESSAGES. Spawn sites strip this (unless the caller pinned it) so the forced message locale actually takes effect. Kept as a named constant so both spawn paths stay in sync.

Functions§

active_backend_available
Whether the platform mechanism backing the active sandbox backend is available on the running host. Used by conformance fixtures and the harn doctor flow to skip OS-hardened checks on hosts without the required kernel support.
active_backend_name
Stable identifier for the platform sandbox backend selected at compile time. Surfaced for diagnostics and conformance fixtures so callers can record which backend produced a recorded run.
active_workspace_tmpdir_env
The TMPDIR/TMP/TEMP overrides for the currently active execution policy, as (key, value) pairs, or an empty vec when no restricted policy is active or no writable workspace root exists.
check_fs_path_scope
Check whether path is inside the active policy’s workspace roots.
command_output
deterministic_message_locale_env
Environment overlay that pins a child tool’s message output to a deterministic, English, UTF-8-preserving locale, as (key, value) pairs.
enforce_process_cwd
process_spawn_error
process_violation_error
push_process_sandbox_scope
std_command_for
tokio_command_for