Add enableWeakerNetworkIsolation option to conditionally allow trustd.agent mach-lookup

2026-06-07 07:55:36 +08:00 · 2026-02-05 12:33:22 -08:00
parent d34c93c5f4
commit 4e007b9ed0
5 changed files with 56 additions and 9 deletions
--- a/src/sandbox/macos-sandbox-utils.ts
+++ b/src/sandbox/macos-sandbox-utils.ts
@@ -33,6 +33,7 @@ export interface MacOSSandboxParams {
  ignoreViolations?: IgnoreViolationsConfig | undefined
  allowPty?: boolean
  allowGitConfig?: boolean
+  enableWeakerNetworkIsolation?: boolean
  binShell?: string
 }

@@ -328,6 +329,7 @@ function generateSandboxProfile({
  allowLocalBinding,
  allowPty,
  allowGitConfig = false,
+  enableWeakerNetworkIsolation = false,
  logTag,
 }: {
  readConfig: FsReadRestrictionConfig | undefined
@@ -340,6 +342,7 @@ function generateSandboxProfile({
  allowLocalBinding?: boolean
  allowPty?: boolean
  allowGitConfig?: boolean
+  enableWeakerNetworkIsolation?: boolean
  logTag: string
 }): string {
  const profile: string[] = [
@@ -377,6 +380,13 @@ function generateSandboxProfile({
    '  (global-name "com.apple.coreservices.launchservicesd")',
    ')',
    '',
+    ...(enableWeakerNetworkIsolation
+      ? [
+          '; trustd.agent - needed for Go TLS certificate verification (weaker network isolation)',
+          '(allow mach-lookup (global-name "com.apple.trustd.agent"))',
+        ]
+      : []),
+    '',
    '; POSIX IPC - shared memory',
    '(allow ipc-posix-shm)',
    '',
@@ -615,6 +625,7 @@ export function wrapCommandWithSandboxMacOS(
    writeConfig,
    allowPty,
    allowGitConfig = false,
+    enableWeakerNetworkIsolation = false,
    binShell,
  } = params

@@ -646,6 +657,7 @@ export function wrapCommandWithSandboxMacOS(
    allowLocalBinding,
    allowPty,
    allowGitConfig,
+    enableWeakerNetworkIsolation,
    logTag,
  })

--- a/src/sandbox/sandbox-config.ts
+++ b/src/sandbox/sandbox-config.ts
@@ -189,6 +189,15 @@ export const SandboxRuntimeConfigSchema = z.object({
    .boolean()
    .optional()
    .describe('Enable weaker nested sandbox mode (for Docker environments)'),
+  enableWeakerNetworkIsolation: z
+    .boolean()
+    .optional()
+    .describe(
+      'Enable weaker network isolation to allow access to com.apple.trustd.agent (macOS only). ' +
+        'This is needed for Go programs (gh, gcloud, terraform, kubectl, etc.) to verify TLS certificates ' +
+        'when using httpProxyPort with a MITM proxy and custom CA. Enabling this opens a potential data ' +
+        'exfiltration vector through the trustd service. Only enable if you need Go TLS verification.',
+    ),
  ripgrep: RipgrepConfigSchema.optional().describe(
    'Custom ripgrep configuration (default: { command: "rg" })',
  ),
--- a/src/sandbox/sandbox-manager.ts
+++ b/src/sandbox/sandbox-manager.ts
@@ -451,6 +451,10 @@ function getEnableWeakerNestedSandbox(): boolean | undefined {
  return config?.enableWeakerNestedSandbox
 }

+function getEnableWeakerNetworkIsolation(): boolean | undefined {
+  return config?.enableWeakerNetworkIsolation
+}
+
 function getRipgrepConfig(): { command: string; args?: string[] } {
  return config?.ripgrep ?? { command: 'rg' }
 }
@@ -581,6 +585,7 @@ async function wrapWithSandbox(
        ignoreViolations: getIgnoreViolations(),
        allowPty,
        allowGitConfig: getAllowGitConfig(),
+        enableWeakerNetworkIsolation: getEnableWeakerNetworkIsolation(),
        binShell,
      })