Skip to main content

vtcode_core/sandboxing/
mod.rs

1//! Sandboxing module for VT Code
2//!
3//! This module provides sandbox policies and execution environment transformations
4//! inspired by the OpenAI Codex execution model and the AI sandbox field guide.
5//! It enables safe command execution with configurable isolation levels.
6//!
7//! ## Architecture
8//!
9//! The sandboxing system implements the field guide's three-question model:
10//! - **Boundary**: What is shared (kernel-enforced via Seatbelt/Landlock)
11//! - **Policy**: What can code touch (SandboxPolicy enum)
12//! - **Lifecycle**: What survives between runs (session-scoped approvals)
13//!
14//! Key components:
15//! - **SandboxPolicy**: Configurable isolation levels (ReadOnly, WorkspaceWrite, DangerFullAccess)
16//! - **SandboxManager**: Transforms command specifications into sandboxed execution environments
17//! - **SandboxPermissions**: Fine-grained permission control for individual operations
18//! - **NetworkAllowlistEntry**: Domain-based network egress control
19//! - **SensitivePath**: Credential location blocking
20//! - **ResourceLimits**: Memory, PID, disk, and CPU limits
21//!
22//! ## Usage
23//!
24//! ```rust,no_run
25//! use vtcode_core::sandboxing::{SandboxPolicy, SandboxManager, CommandSpec, ResourceLimits};
26//!
27//! let policy = SandboxPolicy::read_only();
28//! let manager = SandboxManager::new();
29//! let spec = CommandSpec {
30//!     program: "cat".to_string(),
31//!     args: vec!["file.txt".to_string()],
32//!     ..Default::default()
33//! };
34//!
35//! // Transform to sandboxed environment
36//! let exec_env = manager.transform(spec, &policy, std::path::Path::new("/tmp"), None)?;
37//! # Ok::<(), anyhow::Error>(())
38//! ```
39
40mod child_spawn;
41mod debug;
42mod exec_env;
43mod manager;
44mod permissions;
45mod policy;
46
47pub use child_spawn::{
48    FILTERED_ENV_VARS, PRESERVED_ENV_VARS, VTCODE_SANDBOX_ACTIVE, VTCODE_SANDBOX_NETWORK_DISABLED,
49    VTCODE_SANDBOX_TYPE, VTCODE_SANDBOX_WRITABLE_ROOTS, build_sanitized_env, filter_sensitive_env,
50    setup_parent_death_signal, should_filter_env_var,
51};
52pub use debug::{
53    DebugSubcommand, SandboxDebugResult, debug_sandbox, sandbox_capabilities_summary,
54    test_network_blocked, test_path_writable,
55};
56pub use exec_env::{CommandSpec, ExecEnv, ExecExpiration, SandboxType};
57pub use manager::{SandboxManager, SandboxTransformError};
58pub use permissions::{AdditionalPermissions, SandboxPermissions};
59pub use policy::{
60    BLOCKED_SYSCALLS, DEFAULT_SENSITIVE_PATHS, FILTERED_SYSCALLS, NetworkAllowlistEntry,
61    ResourceLimits, SandboxPolicy, SeccompProfile, SensitivePath, WritableRoot,
62    default_sensitive_paths,
63};