Expand description
Sandboxing module for VT Code
This module provides sandbox policies and execution environment transformations inspired by the OpenAI Codex execution model and the AI sandbox field guide. It enables safe command execution with configurable isolation levels.
§Architecture
The sandboxing system implements the field guide’s three-question model:
- Boundary: What is shared (kernel-enforced via Seatbelt/Landlock)
- Policy: What can code touch (SandboxPolicy enum)
- Lifecycle: What survives between runs (session-scoped approvals)
Key components:
- SandboxPolicy: Configurable isolation levels (ReadOnly, WorkspaceWrite, DangerFullAccess)
- SandboxManager: Transforms command specifications into sandboxed execution environments
- SandboxPermissions: Fine-grained permission control for individual operations
- NetworkAllowlistEntry: Domain-based network egress control
- SensitivePath: Credential location blocking
- ResourceLimits: Memory, PID, disk, and CPU limits
§Usage
use vtcode_core::sandboxing::{SandboxPolicy, SandboxManager, CommandSpec, ResourceLimits};
let policy = SandboxPolicy::read_only();
let manager = SandboxManager::new();
let spec = CommandSpec {
program: "cat".to_string(),
args: vec!["file.txt".to_string()],
..Default::default()
};
// Transform to sandboxed environment
let exec_env = manager.transform(spec, &policy, std::path::Path::new("/tmp"), None)?;Structs§
- Additional
Permissions - Additional per-command filesystem permissions.
- Command
Spec - Specification for a command to be executed.
- ExecEnv
- The prepared execution environment after sandbox transformation.
- Network
Allowlist Entry - Network allowlist entry for domain-based egress control.
- Resource
Limits - Resource limits for sandboxed execution.
- Sandbox
Debug Result - Result of a sandbox debug test.
- Sandbox
Manager - Manager for sandbox transformation.
- Seccomp
Profile - Seccomp profile configuration for Linux sandboxing.
- Sensitive
Path - Sensitive path entry for blocking access to credential locations.
- Writable
Root - A root directory that may be written to under the sandbox policy.
Enums§
- Debug
Subcommand - Debug subcommand types for CLI integration.
- Exec
Expiration - Mechanism to terminate an exec invocation before it finishes naturally.
- Sandbox
Permissions - Fine-grained permissions for sandbox operations.
- Sandbox
Policy - Sandbox policy determining what operations are permitted during execution.
- Sandbox
Transform Error - Error type for sandbox transformation failures.
- Sandbox
Type - Type of sandbox being used.
Constants§
- BLOCKED_
SYSCALLS - Syscalls that should be blocked in seccomp-bpf profiles.
- DEFAULT_
SENSITIVE_ PATHS - Default sensitive paths that should be blocked from sandboxed processes.
- FILTERED_
ENV_ VARS - Environment variables that should be filtered from sandboxed processes.
- FILTERED_
SYSCALLS - Syscalls that require argument filtering (not fully blocked).
- PRESERVED_
ENV_ VARS - Environment variables that should always be preserved.
- VTCODE_
SANDBOX_ ACTIVE - Sandbox environment markers set for child processes.
- VTCODE_
SANDBOX_ NETWORK_ DISABLED - VTCODE_
SANDBOX_ TYPE - VTCODE_
SANDBOX_ WRITABLE_ ROOTS
Functions§
- build_
sanitized_ env - Build a sanitized environment for sandboxed child processes.
- debug_
sandbox - Debug sandbox configuration by running a test command.
- default_
sensitive_ paths - Get the default sensitive paths as SensitivePath entries.
- filter_
sensitive_ env - Filter sensitive environment variables from an existing map.
- sandbox_
capabilities_ summary - Get a human-readable summary of sandbox capabilities for the current platform.
- setup_
parent_ death_ signal - Set up parent death signal on Linux.
- should_
filter_ env_ var - Check if an environment variable should be filtered.
- test_
network_ blocked - Test if network access is blocked under the given sandbox policy.
- test_
path_ writable - Test if a specific path is writable under the given sandbox policy.