Documentation
¶
Overview ¶
Package sandbox provides bubblewrap-based sandboxed command execution.
It wraps bwrap to run bash commands in an isolated filesystem with network access but no host filesystem access beyond explicit mounts. ExecConfig carries per-execution env vars and mounts, and is threaded through context via ContextWithExecConfig / ExecConfigFromContext so tools can access it without explicit parameter threading.
Plane: shared
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ContextWithExecConfig ¶
func ContextWithExecConfig(ctx context.Context, cfg *ExecConfig) context.Context
ContextWithExecConfig stores an ExecConfig in the context.
Types ¶
type ExecConfig ¶
type ExecConfig struct {
Env []string // Extra env vars passed to the sandboxed process
MountDirs []Mount // Additional read-only bind mounts
}
ExecConfig holds per-execution sandbox settings.
func ExecConfigFromContext ¶
func ExecConfigFromContext(ctx context.Context) *ExecConfig
ExecConfigFromContext retrieves the ExecConfig from the context. Returns nil if not set.
type Sandbox ¶
type Sandbox struct {
BwrapPath string
Timeout time.Duration
AllowUnsandboxed bool // if false (default), fail hard when bwrap is unavailable
}
Sandbox wraps bubblewrap for isolated command execution.
func (*Sandbox) Exec ¶
func (s *Sandbox) Exec( ctx context.Context, command string, cfg *ExecConfig, ) (stdout, stderr string, exitCode int, err error)
Exec runs a bash command inside the bubblewrap sandbox. If bwrap is unavailable and AllowUnsandboxed is false, it returns an error. If AllowUnsandboxed is true (dev mode), it falls back to direct exec.
func (*Sandbox) IsAvailable ¶
IsAvailable checks whether bwrap is available at the configured path.
Source Files