passepartout: v0.4.3 Shell Sandboxing & Safety Classification
Some checks failed
Deploy (Gitea) / deploy (push) Failing after 3s
Some checks failed
Deploy (Gitea) / deploy (push) Failing after 3s
- bwrap sandbox: detect bwrap binary, wrap shell commands through Linux namespace isolation with --unshare-net --unshare-ipc when available, fall back to timeout bash -c otherwise - Severity classification: extend shell-blocked patterns with :catastrophic/:dangerous/:moderate/:harmless severity tiers, dispatcher-severity-max for tier comparison - dispatcher-check-shell-safety: returns (:matched <names> :severity <tier>) - Version: 0.4.2 -> 0.4.3 across handshake, ASDF, README badge
This commit is contained in:
@@ -694,11 +694,14 @@ Rationale: Once the provider layer returns structured ~tool-calls~, the ~think()
|
||||
|
||||
The current shell safety is regex-based pattern matching — a fast pre-filter that catches obvious attacks but cannot contain sophisticated or encoded payloads. This version adds actual sandbox isolation (bubblewrap Linux namespaces) as the enforcement layer, and introduces severity classification so the rule learning system in v0.5.0 can apply different thresholds to catastrophic vs harmless operations.
|
||||
|
||||
*** TODO Add ~bwrap~ sandbox to shell actuator
|
||||
*** DONE Add ~bwrap~ sandbox to shell actuator
|
||||
:PROPERTIES:
|
||||
:ID: id-v043-bwrap-sandbox
|
||||
:CREATED: [2026-05-07 Thu]
|
||||
:END:
|
||||
:LOGBOOK:
|
||||
- State "DONE" from "TODO" [2026-05-07 Thu 17:37]
|
||||
:END:
|
||||
|
||||
Rationale: Regex-based shell safety catches obvious patterns (~rm -rf /~, ~dd if=~, ~mkfs.~) but is fundamentally bypassable with encoding (~base64 -d | bash~), indirection (~find / -exec rm {} \;~), or interpreter-based execution (~python3 -c "import os; os.system(...)"~). Bubblewrap (~bwrap~) is a 200KB unprivileged sandbox binary available on all modern Linux distributions. It creates transient Linux namespaces without root, without Docker, without daemon processes. Combined with the regex pre-filter, it provides defense-in-depth: the regex catches obvious attacks fast (no sandbox spawn), the sandbox contains sophisticated ones.
|
||||
|
||||
@@ -710,11 +713,14 @@ Rationale: Regex-based shell safety catches obvious patterns (~rm -rf /~, ~dd if
|
||||
- The regex checks remain as a fast pre-filter — they run before spawning the sandbox.
|
||||
- FiveAM test: command that reads ~/etc/shadow~ inside sandbox fails with permission error; same command in unsandboxed fallback is at least caught by path protection.
|
||||
|
||||
*** TODO Shell safety severity classification system
|
||||
*** DONE Shell safety severity classification system
|
||||
:PROPERTIES:
|
||||
:ID: id-v043-severity-classification
|
||||
:CREATED: [2026-05-07 Thu]
|
||||
:END:
|
||||
:LOGBOOK:
|
||||
- State "DONE" from "TODO" [2026-05-07 Thu 17:37]
|
||||
:END:
|
||||
|
||||
Rationale: The current shell safety check treats all dangerous patterns equally — ~rm -rf /~ gets the same treatment as a backtick injection in ~echo~. But not all shell operations carry the same risk. A severity classification system enables the rule learning engine (v0.5.0) to apply different thresholds: catastrophic operations are always HITL regardless of approval count, moderate operations graduate to allowed after N approvals, harmless operations are allowed by default.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user