MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-04-24 20:14:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat(core): implement strict macOS sandboxing using Seatbelt allowlist (#22832)

Browse Source
This commit is contained in:
Emily Hedlund
2026-03-18 16:07:54 -04:00
committed by GitHub
parent 1725ec346b
commit f6e21f50fd
8 changed files with 661 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/src/services/sandboxManager.test.ts
+17 -19
View File
@@ -12,6 +12,7 @@ import {
createSandboxManager,
} from './sandboxManager.js';
import { LinuxSandboxManager } from '../sandbox/linux/LinuxSandboxManager.js';
import { MacOsSandboxManager } from '../sandbox/macos/MacOsSandboxManager.js';
describe('NoopSandboxManager', () => {
const sandboxManager = new NoopSandboxManager();
@@ -124,23 +125,20 @@ describe('createSandboxManager', () => {
expect(manager).toBeInstanceOf(NoopSandboxManager);
});
it('should return LinuxSandboxManager if sandboxing is enabled and platform is linux', () => {
const osSpy = vi.spyOn(os, 'platform').mockReturnValue('linux');
try {
const manager = createSandboxManager(true, '/workspace');
expect(manager).toBeInstanceOf(LinuxSandboxManager);
} finally {
osSpy.mockRestore();
}
});
it('should return LocalSandboxManager if sandboxing is enabled and platform is not linux', () => {
const osSpy = vi.spyOn(os, 'platform').mockReturnValue('darwin');
try {
const manager = createSandboxManager(true, '/workspace');
expect(manager).toBeInstanceOf(LocalSandboxManager);
} finally {
osSpy.mockRestore();
}
});
it.each([
{ platform: 'linux', expected: LinuxSandboxManager },
{ platform: 'darwin', expected: MacOsSandboxManager },
{ platform: 'win32', expected: LocalSandboxManager },
] as const)(
'should return $expected.name if sandboxing is enabled and platform is $platform',
({ platform, expected }) => {
const osSpy = vi.spyOn(os, 'platform').mockReturnValue(platform);
try {
const manager = createSandboxManager(true, '/workspace');
expect(manager).toBeInstanceOf(expected);
} finally {
osSpy.mockRestore();
}
},
);
});
packages/core/src/services/sandboxManager.ts
+4
View File
@@ -11,6 +11,7 @@ import {
type EnvironmentSanitizationConfig,
} from './environmentSanitization.js';
import { LinuxSandboxManager } from '../sandbox/linux/LinuxSandboxManager.js';
import { MacOsSandboxManager } from '../sandbox/macos/MacOsSandboxManager.js';
/**
* Request for preparing a command to run in a sandbox.
@@ -98,6 +99,9 @@ export function createSandboxManager(
if (os.platform() === 'linux') {
return new LinuxSandboxManager({ workspace });
}
if (os.platform() === 'darwin') {
return new MacOsSandboxManager({ workspace });
}
return new LocalSandboxManager();
}
return new NoopSandboxManager();