This commit lands a broad host-security architecture update focused on enforceable sandbox execution, clearer permission semantics, and operator usability. Core execution/security changes - Introduce and wire a unified host sandbox runner for multi-OS execution: - macOS: sandbox-exec - Linux: bubblewrap + seccomp - Windows: WSL2 path - Remove silent fallback behavior in failure paths; sandbox-unavailable cases now fail closed instead of dropping to unsafe host execution. - Ensure host execution mode (sandbox/direct) is propagated consistently into runtime components, including sub-agent startup. Permission mode model upgrade - Rework readonly/approval behavior for run_command from brittle command-text gating to execution-layer enforcement: - readonly: run_command executes in read-only sandbox profile. - approval: run_command first executes read-only; when permission-denied is detected, request approval and retry once with writable sandbox for that single call. - Tool loop now returns final post-approval execution result, not intermediate permission-denied payloads. - Update permission-mode system messaging to describe user-visible behavior without exposing internal implementation details. Path authorization system - Add dynamic host policy module and persisted policy file. - Support dual path classes: - writable_paths (read+write) - readable_extra_paths (read-only) - Enforce file access in file_manager by access type (read vs write) under host mode. - Add host-only frontend 路径授权 management dialog (settings三级菜单入口), including mode switch between 可读可写 and 仅可读 with separate drafts and save flow. Sub-agent and terminal alignment - Sub-agent process launch now respects host execution mode and sandbox controls in host mode. - Keep terminal session model compatible with sandbox-first behavior and execution-mode propagation. Tool surface updates - Remove legacy file-management tools from active tool definitions (create_file/create_folder/rename_file/delete_file) while preserving historical conversation compatibility. Docs updates - Add dedicated architecture doc: docs/host_sandbox_and_permission_model.md - Refresh README and AGENTS sections to reflect updated permission/execution model and path-authorization semantics. Validation performed - python unittest smoke suite passes: test.test_server_refactor_smoke - frontend build passes: npm run build - syntax checks for touched Python modules completed
225 lines
8.5 KiB
Python
225 lines
8.5 KiB
Python
from __future__ import annotations
|
||
|
||
import os
|
||
import platform
|
||
import shutil
|
||
import shlex
|
||
from dataclasses import dataclass
|
||
from pathlib import Path
|
||
from typing import Dict, List, Optional
|
||
from modules.host_sandbox_policy import get_macos_writable_paths
|
||
|
||
|
||
@dataclass
|
||
class SandboxPlan:
|
||
command: List[str]
|
||
env: Dict[str, str]
|
||
cwd: Optional[str] = None
|
||
seccomp_bpf_path: Optional[str] = None
|
||
|
||
|
||
class HostSandboxError(RuntimeError):
|
||
pass
|
||
|
||
|
||
def _truthy(name: str, default: str = "1") -> bool:
|
||
return os.environ.get(name, default).strip().lower() not in {"0", "false", "no", "off"}
|
||
|
||
|
||
def host_sandbox_enabled() -> bool:
|
||
return _truthy("HOST_SANDBOX_ENABLED", "1")
|
||
|
||
|
||
def build_host_sandbox_plan(command: str, work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
system = platform.system()
|
||
if system == "Darwin":
|
||
return _build_macos_plan(command, work_path, env)
|
||
if system == "Linux":
|
||
return _build_linux_plan(command, work_path, env)
|
||
if system == "Windows":
|
||
return _build_windows_plan(command, work_path, env)
|
||
raise HostSandboxError(f"不支持的宿主机系统: {system}")
|
||
|
||
|
||
def build_host_sandbox_readonly_plan(command: str, work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
system = platform.system()
|
||
if system == "Darwin":
|
||
return _build_macos_readonly_plan(command, work_path, env)
|
||
if system == "Linux":
|
||
return _build_linux_readonly_plan(command, work_path, env)
|
||
if system == "Windows":
|
||
return _build_windows_plan(command, work_path, env)
|
||
raise HostSandboxError(f"不支持的宿主机系统: {system}")
|
||
|
||
def build_host_sandbox_shell_plan(work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
system = platform.system()
|
||
if system == "Darwin":
|
||
return _build_macos_shell_plan(work_path, env)
|
||
if system == "Linux":
|
||
return _build_linux_shell_plan(work_path, env)
|
||
if system == "Windows":
|
||
return _build_windows_shell_plan(work_path, env)
|
||
raise HostSandboxError(f"不支持的宿主机系统: {system}")
|
||
|
||
|
||
def _build_macos_plan(command: str, work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
sandbox_exec = shutil.which("sandbox-exec")
|
||
if not sandbox_exec:
|
||
raise HostSandboxError("macOS 未找到 sandbox-exec,拒绝执行宿主机命令。")
|
||
profile = _macos_profile_for_workspace(work_path)
|
||
cmd = [sandbox_exec, "-p", profile, "/bin/bash", "-lc", command]
|
||
return SandboxPlan(command=cmd, env=env, cwd=str(work_path))
|
||
|
||
|
||
def _build_macos_readonly_plan(command: str, work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
sandbox_exec = shutil.which("sandbox-exec")
|
||
if not sandbox_exec:
|
||
raise HostSandboxError("macOS 未找到 sandbox-exec,拒绝执行宿主机命令。")
|
||
profile = (
|
||
'(version 1) '
|
||
'(deny default) '
|
||
'(allow sysctl-read) '
|
||
'(allow process*) '
|
||
'(allow network*) '
|
||
'(allow file-read*) '
|
||
'(allow file-write* (literal "/dev/null"))'
|
||
)
|
||
cmd = [sandbox_exec, "-p", profile, "/bin/bash", "-lc", command]
|
||
return SandboxPlan(command=cmd, env=env, cwd=str(work_path))
|
||
|
||
def _build_macos_shell_plan(work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
sandbox_exec = shutil.which("sandbox-exec")
|
||
if not sandbox_exec:
|
||
raise HostSandboxError("macOS 未找到 sandbox-exec,拒绝启动宿主机沙箱终端。")
|
||
profile = _macos_profile_for_workspace(work_path)
|
||
cmd = [sandbox_exec, "-p", profile, "/bin/bash", "-i"]
|
||
return SandboxPlan(command=cmd, env=env, cwd=str(work_path))
|
||
|
||
def _macos_profile_for_workspace(work_path: Path) -> str:
|
||
workspace = str(work_path.resolve())
|
||
writable_paths = [workspace, "/tmp", "/private/tmp", "/dev/null"]
|
||
for raw in get_macos_writable_paths():
|
||
try:
|
||
expanded = str(Path(raw).expanduser().resolve())
|
||
except Exception:
|
||
continue
|
||
if expanded not in writable_paths:
|
||
writable_paths.append(expanded)
|
||
write_rules: list[str] = []
|
||
for entry in writable_paths:
|
||
if entry == "/dev/null":
|
||
write_rules.append('(literal "/dev/null")')
|
||
else:
|
||
write_rules.append(f'(subpath "{entry}")')
|
||
write_expr = " ".join(write_rules)
|
||
return (
|
||
'(version 1) '
|
||
'(deny default) '
|
||
'(allow sysctl-read) '
|
||
'(allow process*) '
|
||
'(allow network*) '
|
||
'(allow file-read*) '
|
||
f'(allow file-write* {write_expr})'
|
||
)
|
||
|
||
|
||
def _build_linux_plan(command: str, work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
bwrap = shutil.which("bwrap")
|
||
if not bwrap:
|
||
raise HostSandboxError("Linux 未找到 bubblewrap(bwrap),拒绝执行宿主机命令。")
|
||
|
||
seccomp_bpf = os.environ.get("HOST_SANDBOX_LINUX_SECCOMP_BPF", "").strip()
|
||
if not seccomp_bpf:
|
||
raise HostSandboxError("Linux 缺少 HOST_SANDBOX_LINUX_SECCOMP_BPF,拒绝执行宿主机命令。")
|
||
seccomp_path = Path(seccomp_bpf).expanduser().resolve()
|
||
if not seccomp_path.exists():
|
||
raise HostSandboxError(f"seccomp BPF 文件不存在: {seccomp_path}")
|
||
shell_cmd = ["/bin/bash", "-lc", command]
|
||
return _build_linux_common_plan(work_path, env, shell_cmd, seccomp_path)
|
||
|
||
|
||
def _build_linux_readonly_plan(command: str, work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
bwrap = shutil.which("bwrap")
|
||
if not bwrap:
|
||
raise HostSandboxError("Linux 未找到 bubblewrap(bwrap),拒绝执行宿主机命令。")
|
||
seccomp_bpf = os.environ.get("HOST_SANDBOX_LINUX_SECCOMP_BPF", "").strip()
|
||
if not seccomp_bpf:
|
||
raise HostSandboxError("Linux 缺少 HOST_SANDBOX_LINUX_SECCOMP_BPF,拒绝执行宿主机命令。")
|
||
seccomp_path = Path(seccomp_bpf).expanduser().resolve()
|
||
if not seccomp_path.exists():
|
||
raise HostSandboxError(f"seccomp BPF 文件不存在: {seccomp_path}")
|
||
shell_cmd = ["/bin/bash", "-lc", command]
|
||
return _build_linux_common_plan(work_path, env, shell_cmd, seccomp_path, readonly=True)
|
||
|
||
def _build_linux_shell_plan(work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
bwrap = shutil.which("bwrap")
|
||
if not bwrap:
|
||
raise HostSandboxError("Linux 未找到 bubblewrap(bwrap),拒绝启动宿主机沙箱终端。")
|
||
seccomp_bpf = os.environ.get("HOST_SANDBOX_LINUX_SECCOMP_BPF", "").strip()
|
||
if not seccomp_bpf:
|
||
raise HostSandboxError("Linux 缺少 HOST_SANDBOX_LINUX_SECCOMP_BPF,拒绝启动宿主机沙箱终端。")
|
||
seccomp_path = Path(seccomp_bpf).expanduser().resolve()
|
||
if not seccomp_path.exists():
|
||
raise HostSandboxError(f"seccomp BPF 文件不存在: {seccomp_path}")
|
||
shell_cmd = ["/bin/bash", "-i"]
|
||
return _build_linux_common_plan(work_path, env, shell_cmd, seccomp_path)
|
||
|
||
def _build_linux_common_plan(
|
||
work_path: Path,
|
||
env: Dict[str, str],
|
||
shell_cmd: List[str],
|
||
seccomp_path: Path,
|
||
readonly: bool = False,
|
||
) -> SandboxPlan:
|
||
bwrap = shutil.which("bwrap")
|
||
if not bwrap:
|
||
raise HostSandboxError("Linux 未找到 bubblewrap(bwrap)。")
|
||
sandbox_root = str(work_path.resolve())
|
||
cmd: List[str] = [
|
||
bwrap,
|
||
"--die-with-parent",
|
||
"--new-session",
|
||
"--unshare-all",
|
||
"--share-net",
|
||
"--ro-bind",
|
||
"/",
|
||
"/",
|
||
]
|
||
if readonly:
|
||
cmd.extend(["--ro-bind", sandbox_root, sandbox_root])
|
||
else:
|
||
cmd.extend(["--bind", sandbox_root, sandbox_root])
|
||
cmd.extend([
|
||
"--chdir",
|
||
sandbox_root,
|
||
"--proc",
|
||
"/proc",
|
||
"--dev",
|
||
"/dev",
|
||
"--tmpfs",
|
||
"/tmp",
|
||
"--seccomp",
|
||
"__SECCOMP_FD__",
|
||
*shell_cmd,
|
||
])
|
||
return SandboxPlan(command=cmd, env=env, cwd=sandbox_root, seccomp_bpf_path=str(seccomp_path))
|
||
|
||
|
||
def _build_windows_plan(command: str, work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
wsl = shutil.which("wsl.exe")
|
||
if not wsl:
|
||
raise HostSandboxError("Windows 未找到 wsl.exe(WSL2),拒绝执行宿主机命令。")
|
||
work = shlex.quote(str(work_path))
|
||
shell = f"cd {work} && {command}"
|
||
cmd = [wsl, "bash", "-lc", shell]
|
||
return SandboxPlan(command=cmd, env=env, cwd=str(work_path))
|
||
|
||
def _build_windows_shell_plan(work_path: Path, env: Dict[str, str]) -> SandboxPlan:
|
||
wsl = shutil.which("wsl.exe")
|
||
if not wsl:
|
||
raise HostSandboxError("Windows 未找到 wsl.exe(WSL2),拒绝启动宿主机沙箱终端。")
|
||
work = shlex.quote(str(work_path))
|
||
shell = f"cd {work} && exec bash -i"
|
||
cmd = [wsl, "bash", "-lc", shell]
|
||
return SandboxPlan(command=cmd, env=env, cwd=str(work_path))
|