test(sandbox): real-kernel bwrap integration + Linux CI setup (step 1 of #10)#142
Merged
Conversation
Step 1 of the §3.9a network-allowlist work: prove the Linux sandbox actually sandboxes on a real kernel (so far only ARG GENERATION was tested), and stand up the CI Linux harness the slirp4netns selective-allowlist work (step 2) will build on. - bwrap-integration.test.ts: spawns the real bwrap-wrapped command and asserts rw-cwd writes succeed, /etc writes fail (ro), /usr is readable, and deny-all network (allowedDomains: []) blocks outbound. Gated on `bwrap` present → runs on the Linux CI runner, skips on macOS/dev. - ci.yml: on Linux, apt-install bubblewrap + slirp4netns + curl and relax Ubuntu 24.04's unprivileged-userns AppArmor restriction so bwrap can unshare. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The pre-existing "blocks writing outside the bound cwd" test was dormant in CI (no bwrap installed) until the new Linux sandbox-tools step activated it. Its own comment notes that /tmp inside the sandbox is a fresh tmpfs, so a write there *succeeds* (exit 0) into that ephemeral, isolated filesystem — yet the test also asserted a non-zero exit. The real security property is that the write never reaches the HOST, which the `exists === false` check already verifies. Drop the contradictory exit-code assertion; a genuine read-only-bind denial (non-zero exit) is covered by bwrap-integration.test.ts (/etc write). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Step 1 of the §3.9a network-allowlist work. Before building the slirp4netns selective-domain allowlist, this proves the Linux sandbox actually sandboxes on a real kernel (the existing suite only tests arg generation) and stands up the CI Linux harness that step 2 will build on.
bwrap-integration.test.ts— spawns the real bwrap-wrapped command and asserts: rw-cwd writes succeed,/etcwrites fail (read-only bind),/usris readable (sandbox is usable), and deny-all network (allowedDomains: []) blocks outbound. Gated onbwrapbeing present → runs on the Linux runner, skips on macOS/dev.ci.yml— on Linux,apt-get install bubblewrap slirp4netns curland relax Ubuntu 24.04's unprivileged-userns AppArmor restriction sobwrapcan unshare namespaces.This is a verification PR — if the Linux runner can't run bwrap (userns restrictions), CI will tell us and I'll adjust before building step 2 (the slirp4netns selective allowlist) on top.
🤖 Generated with Claude Code