Crate kernex_sandbox 

kernex-sandbox

OS-level system protection for AI agent subprocesses.

Uses a blocklist approach: everything is allowed by default, then dangerous system directories and the runtime’s core data are blocked.

• macOS: Apple Seatbelt via sandbox-exec -p <profile> — denies reads and writes to {data_dir}/data/ (memory.db) and config.toml; denies writes to /System, /bin, /sbin, /usr/{bin,sbin,lib,libexec}, /private/etc, /Library.
• Linux: Landlock LSM via pre_exec hook (kernel 5.13+) — broad read-only on / with full access to $HOME, /tmp, /var/tmp, /opt, /srv, /run, /media, /mnt; restricted access to {data_dir}/data/ and config.toml.
• Other: Falls back to a plain command with a warning.

Also provides is_write_blocked and is_read_blocked for code-level enforcement in tool executors (protects memory.db and config.toml on all platforms).

This crate is intentionally standalone with zero internal dependencies, making it usable outside the Kernex ecosystem.

Structs

SandboxProfile

Configuration for system sandbox restrictions.

Functions

is_read_blocked

Check if a read from the given path should be blocked.

is_write_blocked

Check if a write to the given path should be blocked.

protected_command

Build a Command with OS-level system protection.