Linux sandbox bubblewrap (#22680)

2026-03-20 19:11:23 -07:00 · 2026-03-16 21:34:48 +00:00
parent 44ce90d76c
commit 8f22ffd2b1
7 changed files with 348 additions and 19 deletions
--- a/packages/core/src/sandbox/linux/LinuxSandboxManager.test.ts
+++ b/packages/core/src/sandbox/linux/LinuxSandboxManager.test.ts
@@ -0,0 +1,90 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { describe, it, expect } from 'vitest';
+import { LinuxSandboxManager } from './LinuxSandboxManager.js';
+import type { SandboxRequest } from '../../services/sandboxManager.js';
+
+describe('LinuxSandboxManager', () => {
+  const workspace = '/home/user/workspace';
+
+  it('correctly outputs bwrap as the program with appropriate isolation flags', async () => {
+    const manager = new LinuxSandboxManager({ workspace });
+    const req: SandboxRequest = {
+      command: 'ls',
+      args: ['-la'],
+      cwd: workspace,
+      env: {},
+    };
+
+    const result = await manager.prepareCommand(req);
+
+    expect(result.program).toBe('bwrap');
+    expect(result.args).toEqual([
+      '--unshare-all',
+      '--new-session',
+      '--die-with-parent',
+      '--ro-bind',
+      '/',
+      '/',
+      '--dev',
+      '/dev',
+      '--proc',
+      '/proc',
+      '--tmpfs',
+      '/tmp',
+      '--bind',
+      workspace,
+      workspace,
+      '--',
+      'ls',
+      '-la',
+    ]);
+  });
+
+  it('maps allowedPaths to bwrap binds', async () => {
+    const manager = new LinuxSandboxManager({
+      workspace,
+      allowedPaths: ['/tmp/cache', '/opt/tools', workspace],
+    });
+    const req: SandboxRequest = {
+      command: 'node',
+      args: ['script.js'],
+      cwd: workspace,
+      env: {},
+    };
+
+    const result = await manager.prepareCommand(req);
+
+    expect(result.program).toBe('bwrap');
+    expect(result.args).toEqual([
+      '--unshare-all',
+      '--new-session',
+      '--die-with-parent',
+      '--ro-bind',
+      '/',
+      '/',
+      '--dev',
+      '/dev',
+      '--proc',
+      '/proc',
+      '--tmpfs',
+      '/tmp',
+      '--bind',
+      workspace,
+      workspace,
+      '--bind',
+      '/tmp/cache',
+      '/tmp/cache',
+      '--bind',
+      '/opt/tools',
+      '/opt/tools',
+      '--',
+      'node',
+      'script.js',
+    ]);
+  });
+});
--- a/packages/core/src/sandbox/linux/LinuxSandboxManager.ts
+++ b/packages/core/src/sandbox/linux/LinuxSandboxManager.ts
@@ -0,0 +1,78 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import {
+  type SandboxManager,
+  type SandboxRequest,
+  type SandboxedCommand,
+} from '../../services/sandboxManager.js';
+import {
+  sanitizeEnvironment,
+  getSecureSanitizationConfig,
+  type EnvironmentSanitizationConfig,
+} from '../../services/environmentSanitization.js';
+
+/**
+ * Options for configuring the LinuxSandboxManager.
+ */
+export interface LinuxSandboxOptions {
+  /** The primary workspace path to bind into the sandbox. */
+  workspace: string;
+  /** Additional paths to bind into the sandbox. */
+  allowedPaths?: string[];
+  /** Optional base sanitization config. */
+  sanitizationConfig?: EnvironmentSanitizationConfig;
+}
+
+/**
+ * A SandboxManager implementation for Linux that uses Bubblewrap (bwrap).
+ */
+export class LinuxSandboxManager implements SandboxManager {
+  constructor(private readonly options: LinuxSandboxOptions) {}
+
+  async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {
+    const sanitizationConfig = getSecureSanitizationConfig(
+      req.config?.sanitizationConfig,
+      this.options.sanitizationConfig,
+    );
+
+    const sanitizedEnv = sanitizeEnvironment(req.env, sanitizationConfig);
+
+    const bwrapArgs: string[] = [
+      '--unshare-all',
+      '--new-session', // Isolate session
+      '--die-with-parent', // Prevent orphaned runaway processes
+      '--ro-bind',
+      '/',
+      '/',
+      '--dev', // Creates a safe, minimal /dev (replaces --dev-bind)
+      '/dev',
+      '--proc', // Creates a fresh procfs for the unshared PID namespace
+      '/proc',
+      '--tmpfs', // Provides an isolated, writable /tmp directory
+      '/tmp',
+      // Note: --dev /dev sets up /dev/pts automatically
+      '--bind',
+      this.options.workspace,
+      this.options.workspace,
+    ];
+
+    const allowedPaths = this.options.allowedPaths ?? [];
+    for (const path of allowedPaths) {
+      if (path !== this.options.workspace) {
+        bwrapArgs.push('--bind', path, path);
+      }
+    }
+
+    bwrapArgs.push('--', req.command, ...req.args);
+
+    return {
+      program: 'bwrap',
+      args: bwrapArgs,
+      env: sanitizedEnv,
+    };
+  }
+}