sandbox

package

v0.8.1 Latest Latest Go to latest Published: Jun 27, 2026 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

codeberg.org/mlow/lmcli

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func HostPath(path string, cfg *ToolSandboxConfig) string
func ResolveWorkspace(workspace string) (string, error)
type PreparedSandbox
- func PrepareSandbox(cmd *exec.Cmd, cfg *ToolSandboxConfig) (*PreparedSandbox, error)
- func (s *PreparedSandbox) Run() error
type SandboxConfig
type ToolSandboxConfig
- func NewToolSandboxConfig(cfg *SandboxConfig, workspace string) (*ToolSandboxConfig, error)

Constants ¶

View Source

const (
	NetworkNone = "none"
	NetworkHost = "host"
	NetworkUser = "user"
)

Networking modes for sandboxed tools.

View Source

const (

	// DefaultHosts is the /etc/hosts content used inside the sandbox when no
	// explicit hosts content is configured.
	DefaultHosts = "127.0.0.1\tlocalhost\n::1\t\tlocalhost ip6-localhost ip6-loopback\n"
)

Variables ¶

This section is empty.

Functions ¶

func HostPath ¶

func HostPath(path string, cfg *ToolSandboxConfig) string

HostPath translates a (possibly sandbox-internal) path to the corresponding host filesystem path. When sandboxing with workspace remapping is active, paths under the sandbox mount point (e.g. /workspace) are rewritten to the host workspace. Otherwise the path is returned unchanged.

func ResolveWorkspace ¶

func ResolveWorkspace(workspace string) (string, error)

ResolveWorkspace returns an absolute workspace path. If the provided workspace is non-empty it is resolved to an absolute path; otherwise the current working directory is returned.

Types ¶

type PreparedSandbox ¶ added in v0.8.0

type PreparedSandbox struct {
	Cmd *exec.Cmd
	// contains filtered or unexported fields
}

PreparedSandbox is a prepared, sandboxed command ready to be run via Run. For most networking modes Run simply executes the wrapped command. For user-mode networking it also orchestrates the slirp4netns sidecar across the command's lifetime.

Cmd is exposed so callers can make final adjustments (e.g. merging environment variables) before calling Run.

func PrepareSandbox ¶ added in v0.8.0

func PrepareSandbox(cmd *exec.Cmd, cfg *ToolSandboxConfig) (*PreparedSandbox, error)

PrepareSandbox wraps an *exec.Cmd with bwrap sandboxing when enabled, returning a Sandbox handle whose Run method executes it. If sandboxing is disabled (cfg is nil or cfg.Enabled is false), the command is wrapped unchanged.

When sandboxing is enabled, the command is re-created as:

bwrap <mount-args> -- <original-command-path> <original-args...>

The sandboxed process sees:

read-only system directories (/usr, /lib, /lib64, /bin, /etc)
/dev, /proc, /sys, /tmp
the lmcli binary itself (read-only)
the workspace directory mounted at /workspace (read-write)
any additional configured bind directories
a minimal, allowlisted environment

Notably absent: the lmcli config directory (containing API keys) and the data directory (containing the conversation database). This is a security boundary — tool code cannot access API keys or conversation history.

func (*PreparedSandbox) Run ¶ added in v0.8.0

func (s *PreparedSandbox) Run() error

Run executes the sandboxed command, waiting for it to complete. When user-mode networking is configured, a slirp4netns sidecar is started once the sandbox's network namespace exists and torn down when the command exits.

type SandboxConfig ¶

type SandboxConfig struct {
	Enabled            *bool    `yaml:"enabled" default:"false"`
	RemapWorkspace     *bool    `yaml:"remapWorkspace" default:"true"`
	RemapWorkspacePath *string  `yaml:"remapWorkspacePath" default:"/workspace"`
	Networking         string   `yaml:"networking,omitempty" default:"host"`
	BindDirs           []string `yaml:"bindDirs"`
	PersistDirs        []string `yaml:"persistDirs"`
	Hosts              string   `yaml:"hosts,omitempty"`
}

SandboxConfig holds the user-facing sandbox configuration (from config.yaml).

type ToolSandboxConfig ¶

type ToolSandboxConfig struct {
	// Enabled controls whether bwrap sandboxing is applied.
	Enabled bool
	// Workspace is the directory to bind-mount into the sandbox.
	Workspace string
	// MountPoint is the path where Workspace appears inside the sandbox.
	// When RemapWorkspace is true this is the configured remapWorkspacePath
	// (default /workspace)
	MountPoint string
	// Networking controls network access inside the sandbox. Supported values:
	// "host" — full host passthrough (default), "user" — user-mode networking
	// via slirp4netns, "none" — no network access.
	Networking string
	// BindDirs are explicit host-to-sandbox mounts (path, path:ro, src:dst, src:dst:ro).
	BindDirs []string
	// PersistDirs are paths that should appear writable inside the sandbox,
	// backed by a staging directory under $XDG_DATA_HOME/lmcli/sandbox.
	PersistDirs []string
	// Hosts is the content for /etc/hosts inside the sandbox. When empty,
	// a minimal default is used.
	Hosts string
}

ToolSandboxConfig holds the configuration needed to sandbox a single tool invocation.

func NewToolSandboxConfig ¶

func NewToolSandboxConfig(cfg *SandboxConfig, workspace string) (*ToolSandboxConfig, error)

NewToolSandboxConfig builds a ToolSandboxConfig from the application config and a resolved workspace path. Returns a disabled config if sandboxing is not enabled or bwrap is not found on PATH.

Source Files ¶

View all Source files

sandbox.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL