vtcode_core/sandboxing/
child_spawn.rs

1//! Child process spawning with sandbox-aware environment handling.
2//!
3//! Implements patterns from the Codex sandbox model:
4//! - Environment variable sanitization (remove sensitive vars)
5//! - Parent death signal (PR_SET_PDEATHSIG on Linux)
6//! - Sandbox identification markers for downstream tools
7
8use hashbrown::HashMap;
9use std::path::Path;
10
11/// Environment variables that should be filtered from sandboxed processes.
12///
13/// Following the field guide: "Completely clear the environment and rebuild it
14/// with only the variables you actually want."
15pub const FILTERED_ENV_VARS: &[&str] = &[
16    // API keys and tokens
17    "OPENAI_API_KEY",
18    "ANTHROPIC_API_KEY",
19    "GEMINI_API_KEY",
20    "XAI_API_KEY",
21    "DEEPSEEK_API_KEY",
22    "OPENROUTER_API_KEY",
23    "GROQ_API_KEY",
24    "MISTRAL_API_KEY",
25    "COHERE_API_KEY",
26    "AZURE_OPENAI_API_KEY",
27    "HUGGINGFACE_API_KEY",
28    "HF_TOKEN",
29    // Cloud provider credentials
30    "AWS_ACCESS_KEY_ID",
31    "AWS_SECRET_ACCESS_KEY",
32    "AWS_SESSION_TOKEN",
33    "GOOGLE_APPLICATION_CREDENTIALS",
34    "GOOGLE_CLOUD_PROJECT",
35    "AZURE_CLIENT_ID",
36    "AZURE_CLIENT_SECRET",
37    "AZURE_TENANT_ID",
38    "AZURE_SUBSCRIPTION_ID",
39    // GitHub tokens
40    "GITHUB_TOKEN",
41    "GH_TOKEN",
42    "GITHUB_PAT",
43    // NPM/Package registry tokens
44    "NPM_TOKEN",
45    "NPM_AUTH_TOKEN",
46    "CARGO_REGISTRY_TOKEN",
47    "PYPI_TOKEN",
48    // Database credentials
49    "DATABASE_URL",
50    "DB_PASSWORD",
51    "PGPASSWORD",
52    "MYSQL_PWD",
53    "REDIS_PASSWORD",
54    "MONGO_PASSWORD",
55    // SSH/GPG
56    "SSH_AUTH_SOCK",
57    "GPG_AGENT_INFO",
58    // Dynamic linker vars (security risk)
59    "LD_PRELOAD",
60    "LD_LIBRARY_PATH",
61    "LD_AUDIT",
62    "LD_DEBUG",
63    "LD_PROFILE",
64    "DYLD_INSERT_LIBRARIES",
65    "DYLD_LIBRARY_PATH",
66    "DYLD_FRAMEWORK_PATH",
67    "DYLD_FALLBACK_LIBRARY_PATH",
68    // Other sensitive vars
69    "VAULT_TOKEN",
70    "CONSUL_HTTP_TOKEN",
71    "DOCKER_AUTH_CONFIG",
72    "KUBECONFIG",
73    "KUBE_TOKEN",
74    "SLACK_TOKEN",
75    "SLACK_BOT_TOKEN",
76    "DISCORD_TOKEN",
77    "TELEGRAM_BOT_TOKEN",
78];
79
80/// Environment variables that should always be preserved.
81pub const PRESERVED_ENV_VARS: &[&str] = &[
82    // Basic shell environment
83    "PATH",
84    "HOME",
85    "USER",
86    "SHELL",
87    "TERM",
88    "LANG",
89    "LC_ALL",
90    "LC_CTYPE",
91    "TZ",
92    // XDG directories
93    "XDG_CONFIG_HOME",
94    "XDG_DATA_HOME",
95    "XDG_CACHE_HOME",
96    "XDG_RUNTIME_DIR",
97    // Editor preferences (not sensitive)
98    "EDITOR",
99    "VISUAL",
100    "PAGER",
101    // Build tool paths
102    "CARGO_HOME",
103    "RUSTUP_HOME",
104    "GOPATH",
105    "GOROOT",
106    "JAVA_HOME",
107    "PYTHON",
108    "PYTHONPATH",
109    "NODE_PATH",
110    // Terminal capabilities
111    "COLORTERM",
112    "FORCE_COLOR",
113    "NO_COLOR",
114    "CLICOLOR",
115    "CLICOLOR_FORCE",
116    // Temp directories
117    "TMPDIR",
118    "TEMP",
119    "TMP",
120];
121
122/// Sandbox environment markers set for child processes.
123pub const VTCODE_SANDBOX_ACTIVE: &str = "VTCODE_SANDBOX_ACTIVE";
124pub const VTCODE_SANDBOX_NETWORK_DISABLED: &str = "VTCODE_SANDBOX_NETWORK_DISABLED";
125pub const VTCODE_SANDBOX_TYPE: &str = "VTCODE_SANDBOX_TYPE";
126pub const VTCODE_SANDBOX_WRITABLE_ROOTS: &str = "VTCODE_SANDBOX_WRITABLE_ROOTS";
127
128/// Build a sanitized environment for sandboxed child processes.
129///
130/// Implements the Codex pattern: "Completely clear the environment and rebuild it
131/// with only the variables you actually want."
132pub fn build_sanitized_env(
133    current_env: &HashMap<String, String>,
134    sandbox_active: bool,
135    network_disabled: bool,
136    sandbox_type: &str,
137    writable_roots: &[&Path],
138) -> HashMap<String, String> {
139    let mut sanitized = HashMap::new();
140
141    // Copy only preserved environment variables
142    for key in PRESERVED_ENV_VARS {
143        if let Some(value) = current_env.get(*key) {
144            sanitized.insert(key.to_string(), value.clone());
145        }
146    }
147
148    // Add sandbox markers so downstream tools know what's happening
149    if sandbox_active {
150        sanitized.insert(VTCODE_SANDBOX_ACTIVE.to_string(), "1".to_string());
151        sanitized.insert(VTCODE_SANDBOX_TYPE.to_string(), sandbox_type.to_string());
152
153        if network_disabled {
154            sanitized.insert(VTCODE_SANDBOX_NETWORK_DISABLED.to_string(), "1".to_string());
155        }
156
157        if !writable_roots.is_empty() {
158            let roots: Vec<String> = writable_roots
159                .iter()
160                .map(|p| p.display().to_string())
161                .collect();
162            sanitized.insert(VTCODE_SANDBOX_WRITABLE_ROOTS.to_string(), roots.join(":"));
163        }
164    }
165
166    sanitized
167}
168
169/// Check if an environment variable should be filtered.
170pub fn should_filter_env_var(key: &str) -> bool {
171    FILTERED_ENV_VARS.contains(&key)
172        || key.starts_with("AWS_")
173        || key.starts_with("AZURE_")
174        || key.starts_with("GOOGLE_")
175        || key.starts_with("GCP_")
176        || key.starts_with("LD_")
177        || key.starts_with("DYLD_")
178        || key.ends_with("_TOKEN")
179        || key.ends_with("_KEY")
180        || key.ends_with("_SECRET")
181        || key.ends_with("_PASS")
182        || key.ends_with("_PWD")
183        || key.ends_with("_PASSWORD")
184        || key.ends_with("_CREDENTIALS")
185}
186
187/// Filter sensitive environment variables from an existing map.
188///
189/// Less aggressive than `build_sanitized_env` - preserves most vars but removes known sensitive ones.
190pub fn filter_sensitive_env(env: &HashMap<String, String>) -> HashMap<String, String> {
191    env.iter()
192        .filter(|(k, _)| !should_filter_env_var(k))
193        .map(|(k, v)| (k.clone(), v.clone()))
194        .collect()
195}
196
197/// Set up parent death signal on Linux.
198///
199/// "Ensures sandboxed children die if the main process gets killed -
200/// you don't want orphaned processes running around."
201///
202/// Uses SIGTERM for graceful shutdown. Includes parent PID check to avoid
203/// race condition where parent exits between fork and exec.
204#[cfg(target_os = "linux")]
205#[allow(unsafe_code)]
206pub fn setup_parent_death_signal() -> std::io::Result<()> {
207    // SAFETY: `getppid` has no preconditions and simply returns the current parent PID.
208    setup_parent_death_signal_with_check(unsafe { libc::getppid() })
209}
210
211/// Set up parent death signal with explicit parent PID check.
212///
213/// This variant should be used in pre_exec hooks where the parent PID
214/// is captured before spawn to avoid race conditions.
215#[cfg(target_os = "linux")]
216#[allow(unsafe_code)]
217pub fn setup_parent_death_signal_with_check(
218    expected_parent_pid: libc::pid_t,
219) -> std::io::Result<()> {
220    use std::io::Error;
221
222    // Use SIGTERM for graceful shutdown (allows cleanup handlers to run)
223    // SAFETY: `prctl(PR_SET_PDEATHSIG, SIGTERM)` is called with a valid option and signal.
224    let result = unsafe { libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGTERM) };
225    if result == -1 {
226        return Err(Error::other(format!(
227            "prctl(PR_SET_PDEATHSIG) failed: {}",
228            Error::last_os_error()
229        )));
230    }
231
232    // Re-check parent PID to catch race condition where parent exited between
233    // fork and this prctl call. If parent changed, self-terminate immediately.
234    // SAFETY: `getppid` has no preconditions and simply returns the current parent PID.
235    if unsafe { libc::getppid() } != expected_parent_pid {
236        // SAFETY: raising SIGTERM in the current process is intentional here.
237        unsafe { libc::raise(libc::SIGTERM) };
238    }
239
240    Ok(())
241}
242
243#[cfg(not(target_os = "linux"))]
244pub fn setup_parent_death_signal() -> std::io::Result<()> {
245    Ok(())
246}
247
248#[cfg(test)]
249mod tests {
250    use super::*;
251
252    const TEST_API_KEY_VALUE: &str = "test-openai-key";
253
254    #[test]
255    fn test_should_filter_sensitive_vars() {
256        assert!(should_filter_env_var("OPENAI_API_KEY"));
257        assert!(should_filter_env_var("AWS_SECRET_ACCESS_KEY"));
258        assert!(should_filter_env_var("GITHUB_TOKEN"));
259        assert!(should_filter_env_var("LD_PRELOAD"));
260        assert!(should_filter_env_var("DYLD_INSERT_LIBRARIES"));
261        assert!(should_filter_env_var("MY_CUSTOM_TOKEN"));
262        assert!(should_filter_env_var("MY_CUSTOM_PASS"));
263        assert!(should_filter_env_var("MYSQL_PWD"));
264        assert!(should_filter_env_var("DATABASE_PASSWORD"));
265
266        assert!(!should_filter_env_var("PATH"));
267        assert!(!should_filter_env_var("HOME"));
268        assert!(!should_filter_env_var("TERM"));
269    }
270
271    #[test]
272    fn test_build_sanitized_env() {
273        let mut current = HashMap::new();
274        current.insert("PATH".to_string(), "/usr/bin".to_string());
275        current.insert("HOME".to_string(), "/home/user".to_string());
276        current.insert("OPENAI_API_KEY".to_string(), TEST_API_KEY_VALUE.to_string());
277        current.insert("RANDOM_VAR".to_string(), "value".to_string());
278
279        let sanitized = build_sanitized_env(&current, true, true, "MacosSeatbelt", &[]);
280
281        // PATH and HOME should be preserved
282        assert_eq!(sanitized.get("PATH"), Some(&"/usr/bin".to_string()));
283        assert_eq!(sanitized.get("HOME"), Some(&"/home/user".to_string()));
284
285        // API key should NOT be present (not in preserved list)
286        assert!(!sanitized.contains_key("OPENAI_API_KEY"));
287
288        // Random var should NOT be present (not in preserved list)
289        assert!(!sanitized.contains_key("RANDOM_VAR"));
290
291        // Sandbox markers should be set
292        assert_eq!(sanitized.get(VTCODE_SANDBOX_ACTIVE), Some(&"1".to_string()));
293        assert_eq!(
294            sanitized.get(VTCODE_SANDBOX_NETWORK_DISABLED),
295            Some(&"1".to_string())
296        );
297        assert_eq!(
298            sanitized.get(VTCODE_SANDBOX_TYPE),
299            Some(&"MacosSeatbelt".to_string())
300        );
301    }
302
303    #[test]
304    fn test_filter_sensitive_env() {
305        let mut env = HashMap::new();
306        env.insert("PATH".to_string(), "/usr/bin".to_string());
307        env.insert("OPENAI_API_KEY".to_string(), TEST_API_KEY_VALUE.to_string());
308        env.insert("MY_VAR".to_string(), "value".to_string());
309        env.insert("AWS_ACCESS_KEY_ID".to_string(), "AKIA...".to_string());
310        env.insert("CUSTOM_PASS".to_string(), "let-me-in".to_string());
311        env.insert("SERVICE_PWD".to_string(), "super-secret".to_string());
312
313        let filtered = filter_sensitive_env(&env);
314
315        assert!(filtered.contains_key("PATH"));
316        assert!(filtered.contains_key("MY_VAR"));
317        assert!(!filtered.contains_key("OPENAI_API_KEY"));
318        assert!(!filtered.contains_key("AWS_ACCESS_KEY_ID"));
319        assert!(!filtered.contains_key("CUSTOM_PASS"));
320        assert!(!filtered.contains_key("SERVICE_PWD"));
321    }
322}
vtcode_core/sandboxing/child_spawn.rs

vtcode_core/sandboxing/
child_spawn.rs
