From cef0f3f988372caee95b1436df35bcfae1ccda24 Mon Sep 17 00:00:00 2001 From: Xubin Ren Date: Sun, 5 Apr 2026 19:03:06 +0000 Subject: [PATCH] refactor: replace podman-seccomp.json with minimal cap_add, harden bwrap, add sandbox tests --- docker-compose.yml | 6 +- nanobot/agent/tools/sandbox.py | 2 +- podman-seccomp.json | 1129 -------------------------------- tests/tools/test_sandbox.py | 105 +++ 4 files changed, 111 insertions(+), 1131 deletions(-) delete mode 100644 podman-seccomp.json create mode 100644 tests/tools/test_sandbox.py diff --git a/docker-compose.yml b/docker-compose.yml index 88b9f4d07..2b2c9acd1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,9 +4,13 @@ x-common-config: &common-config dockerfile: Dockerfile volumes: - ~/.nanobot:/home/nanobot/.nanobot + cap_drop: + - ALL + cap_add: + - SYS_ADMIN security_opt: - apparmor=unconfined - - seccomp=./podman-seccomp.json + - seccomp=unconfined services: nanobot-gateway: diff --git a/nanobot/agent/tools/sandbox.py b/nanobot/agent/tools/sandbox.py index 67818ec00..25f869daa 100644 --- a/nanobot/agent/tools/sandbox.py +++ b/nanobot/agent/tools/sandbox.py @@ -25,7 +25,7 @@ def _bwrap(command: str, workspace: str, cwd: str) -> str: optional = ["/bin", "/lib", "/lib64", "/etc/alternatives", "/etc/ssl/certs", "/etc/resolv.conf", "/etc/ld.so.cache"] - args = ["bwrap"] + args = ["bwrap", "--new-session", "--die-with-parent"] for p in required: args += ["--ro-bind", p, p] for p in optional: args += ["--ro-bind-try", p, p] args += [ diff --git a/podman-seccomp.json b/podman-seccomp.json deleted file mode 100644 index 92d882b5c..000000000 --- a/podman-seccomp.json +++ /dev/null @@ -1,1129 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ERRNO", - "defaultErrnoRet": 38, - "defaultErrno": "ENOSYS", - "archMap": [ - { - "architecture": "SCMP_ARCH_X86_64", - "subArchitectures": [ - "SCMP_ARCH_X86", - "SCMP_ARCH_X32" - ] - }, - { - "architecture": "SCMP_ARCH_AARCH64", - "subArchitectures": [ - "SCMP_ARCH_ARM" - ] - }, - { - "architecture": "SCMP_ARCH_MIPS64", - "subArchitectures": [ - "SCMP_ARCH_MIPS", - "SCMP_ARCH_MIPS64N32" - ] - }, - { - "architecture": "SCMP_ARCH_MIPS64N32", - "subArchitectures": [ - "SCMP_ARCH_MIPS", - "SCMP_ARCH_MIPS64" - ] - }, - { - "architecture": "SCMP_ARCH_MIPSEL64", - "subArchitectures": [ - "SCMP_ARCH_MIPSEL", - "SCMP_ARCH_MIPSEL64N32" - ] - }, - { - "architecture": "SCMP_ARCH_MIPSEL64N32", - "subArchitectures": [ - "SCMP_ARCH_MIPSEL", - "SCMP_ARCH_MIPSEL64" - ] - }, - { - "architecture": "SCMP_ARCH_S390X", - "subArchitectures": [ - "SCMP_ARCH_S390" - ] - } - ], - "syscalls": [ - { - "names": [ - "bdflush", - "cachestat", - "futex_requeue", - "futex_wait", - "futex_waitv", - "futex_wake", - "io_pgetevents", - "io_pgetevents_time64", - "kexec_file_load", - "kexec_load", - "map_shadow_stack", - "migrate_pages", - "move_pages", - "nfsservctl", - "nice", - "oldfstat", - "oldlstat", - "oldolduname", - "oldstat", - "olduname", - "pciconfig_iobase", - "pciconfig_read", - "pciconfig_write", - "sgetmask", - "ssetmask", - "swapoff", - "swapon", - "syscall", - "sysfs", - "uselib", - "userfaultfd", - "ustat", - "vm86", - "vm86old", - "vmsplice" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": {}, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "_llseek", - "_newselect", - "accept", - "accept4", - "access", - "adjtimex", - "alarm", - "bind", - "brk", - "capget", - "capset", - "chdir", - "chmod", - "chown", - "chown32", - "clock_adjtime", - "clock_adjtime64", - "clock_getres", - "clock_getres_time64", - "clock_gettime", - "clock_gettime64", - "clock_nanosleep", - "clock_nanosleep_time64", - "clone", - "clone3", - "close", - "close_range", - "connect", - "copy_file_range", - "creat", - "dup", - "dup2", - "dup3", - "epoll_create", - "epoll_create1", - "epoll_ctl", - "epoll_ctl_old", - "epoll_pwait", - "epoll_pwait2", - "epoll_wait", - "epoll_wait_old", - "eventfd", - "eventfd2", - "execve", - "execveat", - "exit", - "exit_group", - "faccessat", - "faccessat2", - "fadvise64", - "fadvise64_64", - "fallocate", - "fanotify_init", - "fanotify_mark", - "fchdir", - "fchmod", - "fchmodat", - "fchmodat2", - "fchown", - "fchown32", - "fchownat", - "fcntl", - "fcntl64", - "fdatasync", - "fgetxattr", - "flistxattr", - "flock", - "fork", - "fremovexattr", - "fsconfig", - "fsetxattr", - "fsmount", - "fsopen", - "fspick", - "fstat", - "fstat64", - "fstatat64", - "fstatfs", - "fstatfs64", - "fsync", - "ftruncate", - "ftruncate64", - "futex", - "futex_time64", - "futimesat", - "get_mempolicy", - "get_robust_list", - "get_thread_area", - "getcpu", - "getcwd", - "getdents", - "getdents64", - "getegid", - "getegid32", - "geteuid", - "geteuid32", - "getgid", - "getgid32", - "getgroups", - "getgroups32", - "getitimer", - "getpeername", - "getpgid", - "getpgrp", - "getpid", - "getppid", - "getpriority", - "getrandom", - "getresgid", - "getresgid32", - "getresuid", - "getresuid32", - "getrlimit", - "getrusage", - "getsid", - "getsockname", - "getsockopt", - "gettid", - "gettimeofday", - "getuid", - "getuid32", - "getxattr", - "inotify_add_watch", - "inotify_init", - "inotify_init1", - "inotify_rm_watch", - "io_cancel", - "io_destroy", - "io_getevents", - "io_setup", - "io_submit", - "ioctl", - "ioprio_get", - "ioprio_set", - "ipc", - "keyctl", - "kill", - "landlock_add_rule", - "landlock_create_ruleset", - "landlock_restrict_self", - "lchown", - "lchown32", - "lgetxattr", - "link", - "linkat", - "listen", - "listxattr", - "llistxattr", - "lremovexattr", - "lseek", - "lsetxattr", - "lstat", - "lstat64", - "madvise", - "mbind", - "membarrier", - "memfd_create", - "memfd_secret", - "mincore", - "mkdir", - "mkdirat", - "mknod", - "mknodat", - "mlock", - "mlock2", - "mlockall", - "mmap", - "mmap2", - "mount", - "mount_setattr", - "move_mount", - "mprotect", - "mq_getsetattr", - "mq_notify", - "mq_open", - "mq_timedreceive", - "mq_timedreceive_time64", - "mq_timedsend", - "mq_timedsend_time64", - "mq_unlink", - "mremap", - "msgctl", - "msgget", - "msgrcv", - "msgsnd", - "msync", - "munlock", - "munlockall", - "munmap", - "name_to_handle_at", - "nanosleep", - "newfstatat", - "open", - "open_tree", - "openat", - "openat2", - "pause", - "pidfd_getfd", - "pidfd_open", - "pidfd_send_signal", - "pipe", - "pipe2", - "pivot_root", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", - "poll", - "ppoll", - "ppoll_time64", - "prctl", - "pread64", - "preadv", - "preadv2", - "prlimit64", - "process_mrelease", - "process_vm_readv", - "process_vm_writev", - "pselect6", - "pselect6_time64", - "ptrace", - "pwrite64", - "pwritev", - "pwritev2", - "read", - "readahead", - "readlink", - "readlinkat", - "readv", - "reboot", - "recv", - "recvfrom", - "recvmmsg", - "recvmmsg_time64", - "recvmsg", - "remap_file_pages", - "removexattr", - "rename", - "renameat", - "renameat2", - "restart_syscall", - "rmdir", - "rseq", - "rt_sigaction", - "rt_sigpending", - "rt_sigprocmask", - "rt_sigqueueinfo", - "rt_sigreturn", - "rt_sigsuspend", - "rt_sigtimedwait", - "rt_sigtimedwait_time64", - "rt_tgsigqueueinfo", - "sched_get_priority_max", - "sched_get_priority_min", - "sched_getaffinity", - "sched_getattr", - "sched_getparam", - "sched_getscheduler", - "sched_rr_get_interval", - "sched_rr_get_interval_time64", - "sched_setaffinity", - "sched_setattr", - "sched_setparam", - "sched_setscheduler", - "sched_yield", - "seccomp", - "select", - "semctl", - "semget", - "semop", - "semtimedop", - "semtimedop_time64", - "send", - "sendfile", - "sendfile64", - "sendmmsg", - "sendmsg", - "sendto", - "set_mempolicy", - "set_robust_list", - "set_thread_area", - "set_tid_address", - "setfsgid", - "setfsgid32", - "setfsuid", - "setfsuid32", - "setgid", - "setgid32", - "setgroups", - "setgroups32", - "setitimer", - "setns", - "setpgid", - "setpriority", - "setregid", - "setregid32", - "setresgid", - "setresgid32", - "setresuid", - "setresuid32", - "setreuid", - "setreuid32", - "setrlimit", - "setsid", - "setsockopt", - "setuid", - "setuid32", - "setxattr", - "shmat", - "shmctl", - "shmdt", - "shmget", - "shutdown", - "sigaltstack", - "signal", - "signalfd", - "signalfd4", - "sigprocmask", - "sigreturn", - "socketcall", - "socketpair", - "splice", - "stat", - "stat64", - "statfs", - "statfs64", - "statx", - "symlink", - "symlinkat", - "sync", - "sync_file_range", - "syncfs", - "sysinfo", - "syslog", - "tee", - "tgkill", - "time", - "timer_create", - "timer_delete", - "timer_getoverrun", - "timer_gettime", - "timer_gettime64", - "timer_settime", - "timer_settime64", - "timerfd_create", - "timerfd_gettime", - "timerfd_gettime64", - "timerfd_settime", - "timerfd_settime64", - "times", - "tkill", - "truncate", - "truncate64", - "ugetrlimit", - "umask", - "umount", - "umount2", - "uname", - "unlink", - "unlinkat", - "unshare", - "utime", - "utimensat", - "utimensat_time64", - "utimes", - "vfork", - "wait4", - "waitid", - "waitpid", - "write", - "writev" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 0, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 8, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 131072, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 131080, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 4294967295, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "sync_file_range2", - "swapcontext" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "ppc64le" - ] - }, - "excludes": {} - }, - { - "names": [ - "arm_fadvise64_64", - "arm_sync_file_range", - "breakpoint", - "cacheflush", - "set_tls", - "sync_file_range2" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "arm", - "arm64" - ] - }, - "excludes": {} - }, - { - "names": [ - "arch_prctl" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "amd64", - "x32" - ] - }, - "excludes": {} - }, - { - "names": [ - "modify_ldt" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "amd64", - "x32", - "x86" - ] - }, - "excludes": {} - }, - { - "names": [ - "s390_pci_mmio_read", - "s390_pci_mmio_write", - "s390_runtime_instr" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "s390", - "s390x" - ] - }, - "excludes": {} - }, - { - "names": [ - "riscv_flush_icache" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "riscv64" - ] - }, - "excludes": {} - }, - { - "names": [ - "open_by_handle_at" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_DAC_READ_SEARCH" - ] - }, - "excludes": {} - }, - { - "names": [ - "open_by_handle_at" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_DAC_READ_SEARCH" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "bpf", - "lookup_dcookie", - "quotactl", - "quotactl_fd", - "setdomainname", - "sethostname", - "setns" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_ADMIN" - ] - }, - "excludes": {} - }, - { - "names": [ - "lookup_dcookie", - "perf_event_open", - "quotactl", - "quotactl_fd", - "setdomainname", - "sethostname", - "setns" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "chroot" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_CHROOT" - ] - }, - "excludes": {} - }, - { - "names": [ - "chroot" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_CHROOT" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "delete_module", - "finit_module", - "init_module", - "query_module" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_MODULE" - ] - }, - "excludes": {} - }, - { - "names": [ - "delete_module", - "finit_module", - "init_module", - "query_module" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_MODULE" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "acct" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_PACCT" - ] - }, - "excludes": {} - }, - { - "names": [ - "acct" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_PACCT" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "kcmp", - "process_madvise" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_PTRACE" - ] - }, - "excludes": {} - }, - { - "names": [ - "kcmp", - "process_madvise" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_PTRACE" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "ioperm", - "iopl" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_RAWIO" - ] - }, - "excludes": {} - }, - { - "names": [ - "ioperm", - "iopl" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_RAWIO" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "clock_settime", - "clock_settime64", - "settimeofday", - "stime" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_TIME" - ] - }, - "excludes": {} - }, - { - "names": [ - "clock_settime", - "clock_settime64", - "settimeofday", - "stime" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_TIME" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "vhangup" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_TTY_CONFIG" - ] - }, - "excludes": {} - }, - { - "names": [ - "vhangup" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_TTY_CONFIG" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ERRNO", - "args": [ - { - "index": 0, - "value": 16, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - }, - { - "index": 2, - "value": 9, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - }, - "errnoRet": 22, - "errno": "EINVAL" - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 2, - "value": 9, - "valueTwo": 0, - "op": "SCMP_CMP_NE" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - } - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 16, - "valueTwo": 0, - "op": "SCMP_CMP_NE" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - } - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 2, - "value": 9, - "valueTwo": 0, - "op": "SCMP_CMP_NE" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - } - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": null, - "comment": "", - "includes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - }, - "excludes": {} - }, - { - "names": [ - "bpf" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_ADMIN", - "CAP_BPF" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "bpf" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_BPF" - ] - }, - "excludes": {} - }, - { - "names": [ - "perf_event_open" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_ADMIN", - "CAP_BPF" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "perf_event_open" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_PERFMON" - ] - }, - "excludes": {} - } - ] -} \ No newline at end of file diff --git a/tests/tools/test_sandbox.py b/tests/tools/test_sandbox.py new file mode 100644 index 000000000..315bcf7c8 --- /dev/null +++ b/tests/tools/test_sandbox.py @@ -0,0 +1,105 @@ +"""Tests for nanobot.agent.tools.sandbox.""" + +import shlex + +import pytest + +from nanobot.agent.tools.sandbox import wrap_command + + +def _parse(cmd: str) -> list[str]: + """Split a wrapped command back into tokens for assertion.""" + return shlex.split(cmd) + + +class TestBwrapBackend: + def test_basic_structure(self, tmp_path): + ws = str(tmp_path / "project") + result = wrap_command("bwrap", "echo hi", ws, ws) + tokens = _parse(result) + + assert tokens[0] == "bwrap" + assert "--new-session" in tokens + assert "--die-with-parent" in tokens + assert "--ro-bind" in tokens + assert "--proc" in tokens + assert "--dev" in tokens + assert "--tmpfs" in tokens + + sep = tokens.index("--") + assert tokens[sep + 1:] == ["sh", "-c", "echo hi"] + + def test_workspace_bind_mounted_rw(self, tmp_path): + ws = str(tmp_path / "project") + result = wrap_command("bwrap", "ls", ws, ws) + tokens = _parse(result) + + bind_idx = [i for i, t in enumerate(tokens) if t == "--bind"] + assert any(tokens[i + 1] == ws and tokens[i + 2] == ws for i in bind_idx) + + def test_parent_dir_masked_with_tmpfs(self, tmp_path): + ws = tmp_path / "project" + result = wrap_command("bwrap", "ls", str(ws), str(ws)) + tokens = _parse(result) + + tmpfs_indices = [i for i, t in enumerate(tokens) if t == "--tmpfs"] + tmpfs_targets = {tokens[i + 1] for i in tmpfs_indices} + assert str(ws.parent) in tmpfs_targets + + def test_cwd_inside_workspace(self, tmp_path): + ws = tmp_path / "project" + sub = ws / "src" / "lib" + result = wrap_command("bwrap", "pwd", str(ws), str(sub)) + tokens = _parse(result) + + chdir_idx = tokens.index("--chdir") + assert tokens[chdir_idx + 1] == str(sub) + + def test_cwd_outside_workspace_falls_back(self, tmp_path): + ws = tmp_path / "project" + outside = tmp_path / "other" + result = wrap_command("bwrap", "pwd", str(ws), str(outside)) + tokens = _parse(result) + + chdir_idx = tokens.index("--chdir") + assert tokens[chdir_idx + 1] == str(ws.resolve()) + + def test_command_with_special_characters(self, tmp_path): + ws = str(tmp_path / "project") + cmd = "echo 'hello world' && cat \"file with spaces.txt\"" + result = wrap_command("bwrap", cmd, ws, ws) + tokens = _parse(result) + + sep = tokens.index("--") + assert tokens[sep + 1:] == ["sh", "-c", cmd] + + def test_system_dirs_ro_bound(self, tmp_path): + ws = str(tmp_path / "project") + result = wrap_command("bwrap", "ls", ws, ws) + tokens = _parse(result) + + ro_bind_indices = [i for i, t in enumerate(tokens) if t == "--ro-bind"] + ro_targets = {tokens[i + 1] for i in ro_bind_indices} + assert "/usr" in ro_targets + + def test_optional_dirs_use_ro_bind_try(self, tmp_path): + ws = str(tmp_path / "project") + result = wrap_command("bwrap", "ls", ws, ws) + tokens = _parse(result) + + try_indices = [i for i, t in enumerate(tokens) if t == "--ro-bind-try"] + try_targets = {tokens[i + 1] for i in try_indices} + assert "/bin" in try_targets + assert "/etc/ssl/certs" in try_targets + + +class TestUnknownBackend: + def test_raises_value_error(self, tmp_path): + ws = str(tmp_path / "project") + with pytest.raises(ValueError, match="Unknown sandbox backend"): + wrap_command("nonexistent", "ls", ws, ws) + + def test_empty_string_raises(self, tmp_path): + ws = str(tmp_path / "project") + with pytest.raises(ValueError): + wrap_command("", "ls", ws, ws)