feat(runtime): sandbox security-opt / extra-binds / systempaths for e2e#2
Merged
Conversation
Go map iteration is randomized, so consecutive refreshes reshuffled rows. Match the control plane ordering (CreatedAt asc, ID tiebreaker). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
matej21
force-pushed
the
feat/security-opt
branch
from
b474428 to
480f941
Compare
Lets operators set HostConfig.SecurityOpt (comma-separated) on every spawned sandbox, e.g. seccomp=unconfined so in-sandbox bubblewrap can create user namespaces. Opt-in; when set it replaces edvabe's default (seccomp=unconfined, apparmor=unconfined), and when unset that default stays. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds extra bind mounts (comma-separated host:ctr[:ro]) to every spawned sandbox, on top of per-request mounts. Lets the operator share host fixtures (e.g. LLM replay snapshots) with sandboxes for deterministic local testing. Opt-in. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ReadonlyPaths
EDVABE_SECURITY_OPT now recognizes "systempaths=unconfined" and clears the
spawned sandbox's MaskedPaths/ReadonlyPaths (the same effect as `docker run
--security-opt systempaths=unconfined`), instead of forwarding it verbatim as a
SecurityOpt — which the daemon rejects, since systempaths is CLI sugar, not an
API-level opt.
Docker masks /proc/* by default, so in-sandbox bubblewrap fails to mount a fresh
/proc ("Can't mount proc on /newroot/proc: Operation not permitted"). Clearing
the masks lets the agent's run_command sandbox build. Opt-in; relaxes isolation.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
matej21
force-pushed
the
feat/security-opt
branch
from
480f941 to
2199b0d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Runtime knobs that let an in-sandbox agent (bubblewrap-based
run_command) actually build inside an edvabe Docker sandbox, needed for the webmaster deterministic redo-flow e2e.Changes
EDVABE_SECURITY_OPT— comma-separated list applied asHostConfig.SecurityOpton every spawned sandbox (e.g.seccomp=unconfined,apparmor=unconfined).EDVABE_EXTRA_BINDS— extra bind mounts (host:ctr[:ro]) on every sandbox, e.g. to share host LLM-replay fixtures.systempaths=unconfined— recognized insideEDVABE_SECURITY_OPTand translated to emptyMaskedPaths/ReadonlyPaths(same effect asdocker run --security-opt systempaths=unconfined), rather than forwarded verbatim — the daemon rejects systempaths as a raw API-level SecurityOpt. Docker masks/proc/*by default, so without this bubblewrap fails withCan't mount proc on /newroot/proc: Operation not permitted.Why
On hosts with
kernel.apparmor_restrict_unprivileged_userns=1(Ubuntu 23.10+) plus Docker's default/procmasking, the agent's bwrap sandbox can't create a user namespace or mount a fresh/proc. All three opts (seccomp + apparmor + systempaths) are required for the in-sandbox build to run. Opt-in via env; each relaxes isolation, intended for local/e2e.Tests
TestParseSecurityOptcovers the systempaths extraction, trimming, and case-insensitivity.MaskedPaths: [], bwrap--proc /procsucceeds, and the webmaster redo e2e builds a real Astro site with 0 bwrap errors.🤖 Generated with Claude Code