MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-03-19 02:20:42 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
2f90b46537ceb1c63b7896e9390b15fc5cfa4399
gemini-cli/packages/core/src/sandbox/linux/LinuxSandboxManager.test.ts
David Pierce 2f90b46537 Linux sandbox seccomp (#22815) 
Co-authored-by: Gal Zahavi <38544478+galz10@users.noreply.github.com>
2026-03-17 20:29:13 +00:00

111 lines
2.5 KiB
TypeScript
Raw Blame History

/**
* @license
* Copyright 2026 Google LLC
* SPDX-License-Identifier: Apache-2.0
*/
import { describe, it, expect } from 'vitest';
import { LinuxSandboxManager } from './LinuxSandboxManager.js';
import type { SandboxRequest } from '../../services/sandboxManager.js';
describe('LinuxSandboxManager', () => {
const workspace = '/home/user/workspace';
it('correctly outputs bwrap as the program with appropriate isolation flags', async () => {
const manager = new LinuxSandboxManager({ workspace });
const req: SandboxRequest = {
command: 'ls',
args: ['-la'],
cwd: workspace,
env: {},
};
const result = await manager.prepareCommand(req);
expect(result.program).toBe('sh');
expect(result.args[0]).toBe('-c');
expect(result.args[1]).toBe(
'bpf_path="$1"; shift; exec bwrap "$@" 9< "$bpf_path"',
);
expect(result.args[2]).toBe('_');
expect(result.args[3]).toMatch(/gemini-cli-seccomp-.*\.bpf$/);
const bwrapArgs = result.args.slice(4);
expect(bwrapArgs).toEqual([
'--unshare-all',
'--new-session',
'--die-with-parent',
'--ro-bind',
'/',
'/',
'--dev',
'/dev',
'--proc',
'/proc',
'--tmpfs',
'/tmp',
'--bind',
workspace,
workspace,
'--seccomp',
'9',
'--',
'ls',
'-la',
]);
});
it('maps allowedPaths to bwrap binds', async () => {
const manager = new LinuxSandboxManager({
workspace,
allowedPaths: ['/tmp/cache', '/opt/tools', workspace],
});
const req: SandboxRequest = {
command: 'node',
args: ['script.js'],
cwd: workspace,
env: {},
};
const result = await manager.prepareCommand(req);
expect(result.program).toBe('sh');
expect(result.args[0]).toBe('-c');
expect(result.args[1]).toBe(
'bpf_path="$1"; shift; exec bwrap "$@" 9< "$bpf_path"',
);
expect(result.args[2]).toBe('_');
expect(result.args[3]).toMatch(/gemini-cli-seccomp-.*\.bpf$/);
const bwrapArgs = result.args.slice(4);
expect(bwrapArgs).toEqual([
'--unshare-all',
'--new-session',
'--die-with-parent',
'--ro-bind',
'/',
'/',
'--dev',
'/dev',
'--proc',
'/proc',
'--tmpfs',
'/tmp',
'--bind',
workspace,
workspace,
'--bind',
'/tmp/cache',
'/tmp/cache',
'--bind',
'/opt/tools',
'/opt/tools',
'--seccomp',
'9',
'--',
'node',
'script.js',
]);
});
});
Reference in New Issue View Git Blame Copy Permalink