Documentation
¶
Index ¶
Constants ¶
const ( // DefaultMountPoint is the path where the workspace is mounted inside // the sandbox when workspace remapping is enabled. DefaultMountPoint = "/workspace" // DefaultHosts is the /etc/hosts content used inside the sandbox when no // explicit hosts content is configured. DefaultHosts = "127.0.0.1\tlocalhost\n::1\t\tlocalhost ip6-localhost ip6-loopback\n" )
Variables ¶
This section is empty.
Functions ¶
func HostPath ¶
func HostPath(path string, cfg *ToolSandboxConfig) string
HostPath translates a (possibly sandbox-internal) path to the corresponding host filesystem path. When sandboxing with workspace remapping is active, paths under the sandbox mount point (e.g. /workspace) are rewritten to the host workspace. Otherwise the path is returned unchanged.
func ResolveWorkspace ¶
ResolveWorkspace returns an absolute workspace path. If the provided workspace is non-empty it is resolved to an absolute path; otherwise the current working directory is returned.
func WrapCommand ¶
WrapCommand wraps an *exec.Cmd with bwrap sandboxing when enabled. If sandboxing is disabled (cfg is nil or cfg.Enabled is false), the command is returned unchanged.
When sandboxing is enabled, the command is re-created as:
bwrap <mount-args> -- <original-command-path> <original-args...>
The sandboxed process sees:
- read-only system directories (/usr, /lib, /lib64, /bin, /etc)
- /dev, /proc, /sys, /tmp
- the lmcli binary itself (read-only)
- the workspace directory mounted at /workspace (read-write)
- any additional configured bind directories
- a minimal, allowlisted environment
Notably absent: the lmcli config directory (containing API keys) and the data directory (containing the conversation database). This is a security boundary — tool code cannot access API keys or conversation history.
Types ¶
type SandboxConfig ¶
type SandboxConfig struct {
Enabled bool `yaml:"enabled"`
RemapWorkspace *bool `yaml:"remapWorkspace" default:"true"`
BindDirs []string `yaml:"bindDirs"`
PersistDirs []string `yaml:"persistDirs"`
Hosts string `yaml:"hosts,omitempty"`
}
SandboxConfig holds the user-facing sandbox configuration (from config.yaml).
type ToolSandboxConfig ¶
type ToolSandboxConfig struct {
// Enabled controls whether bwrap sandboxing is applied.
Enabled bool
// Workspace is the directory to bind-mount into the sandbox.
Workspace string
// MountPoint is the path where Workspace appears inside the sandbox.
// When RemapWorkspace is true this is /workspace; otherwise it matches
// the host Workspace path so that absolute paths remain valid (needed
// for e.g. Python virtual environments).
MountPoint string
// BindDirs are explicit host-to-sandbox mounts (path, path:ro, src:dst, src:dst:ro).
BindDirs []string
// PersistDirs are paths that should appear writable inside the sandbox,
// backed by a staging directory under $XDG_DATA_HOME/lmcli/sandbox.
PersistDirs []string
// Hosts is the content for /etc/hosts inside the sandbox. When empty,
// a minimal default is used.
Hosts string
}
ToolSandboxConfig holds the configuration needed to sandbox a single tool invocation.
func NewToolSandboxConfig ¶
func NewToolSandboxConfig(cfg *SandboxConfig, workspace string) (*ToolSandboxConfig, error)
NewToolSandboxConfig builds a ToolSandboxConfig from the application config and a resolved workspace path. Returns a disabled config if sandboxing is not enabled or bwrap is not found on PATH.
Source Files