network-victim-toolbox

command
v0.1.158 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Overview

Command network-victim-toolbox is a TEST-ONLY plugin used by the end-to-end sandbox-enforcement tests in core/toolbox/launch.

It exposes two tools without ANY application-layer guard:

  • net.fetch — issues an outbound HTTP GET. Used to test that a deny-network sandbox blocks the syscall. (NOTE: deny-network ALSO breaks loopback gRPC, so the e2e test today gates this only when the plugin can still boot.)

  • fs.write — writes a file at a caller-supplied path. Used to test that a sandbox declaring write_paths=[X] actually blocks writes to paths outside X.

We use this test plugin instead of the real web/git toolboxes because they have application-layer guards (web's allowlist, git's repo path) that would refuse the call BEFORE the syscall, masking the OS layer signal.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.