sandbox-runtime

lywsvip/sandbox-runtime

Fork 0

mirror of https://github.com/anthropic-experimental/sandbox-runtime.git synced 2026-05-06 13:40:59 +08:00

Commit Graph

Select branches

Hide Pull Requests

apply-seccomp-root-caller

atp/cc-1442-denyread-allowread-difficulty-re-sandbox-re-oracle

atp/cc-1468-denywrite-unmasks-denyread-regression

atp/cc-1474-unlink-tests

atp/cc-905-bump-version-0-0-42

bump-version-0.0.27

diag/reset-hang

dworken/binshell

dworken/bpf

dworken/bump-v0.0.39

dworken/bwrap-new-session

dworken/configurable-proxy-ports

dworken/deny-path-mount-cleanup

dworken/enable-weaker-network-isolation

dworken/fix-empty-allowed-domains

dworken/fix-regex-escaping-seatbelt

dworken/fix-sandbox-dummy-file-race

dworken/linux-denyread-glob-expansion

dworken/no-python

dworken/nonexistent-deny-path-hardening

dworken/remove-trustd-mach-lookup

dworken/sandbox-config

dworken/sandbox-mv

dworken/seccomp-pid-ns-isolation

dworken/symlink

dworken/symlink-write-path-check

dworken/tmpdir-hardening

dylan/allow-mach-lookup-config

dylan/ci-build-seccomp

dylan/ci-full-suite

dylan/npm-audit-0.0.48

dylan/remove-lodash-es

dylan/seccomp-argv0-mode

dylanc/allow-local-binding-ipv6-dual-stack

dylanc/node-22

dylanc/release-workflow

dylanc/ripgrep-argv0

dylanc/seccomp-config-paths

fix-env-var-quoting

fix/cli-positional-arg-quoting

fix/debug-flag-env-var

fix/gcloud-proxy-type

fix/integration-spawnsync-deadlock

fix/linux-git-ssh-proxy

fix/ripgrep-dep-linux-only

fix/symlink-write-path-warning

fix/tmpdir-env-name

fix/unix-socket-creation-in-network-restricted-sandbox

fix/wildcard-test-restructure

jacques/replace-shell-quote

jacques/respect-tmpdir-in-srt

jacques/srt-dont-log-on-sigint-or-sigterm

kurt/sandbox-binary-paths

kurt/sandbox-exec-abs-path

loc/dynamic-config-watching

main

mhl/external-proxy-integration

oct/fix-seatbelt-deny-create

oct/v0.0.50

ollie/0.0.18

ollie/0.0.3-pointers

ollie/0.0.5-pointers

ollie/004-pointers

ollie/006

ollie/add-config-mutation-and-bump-pointers

ollie/add-vscode-formatting-autosave

ollie/block-all-network-test

ollie/bump-0.29

ollie/custom-rg

ollie/fail-gracefully-no-seccomp

ollie/fix-bwrap-mkdir-error

ollie/fix-path-finding

ollie/fix-wsl-platform-check

ollie/flexible-api-and-better-defaults

ollie/improve-dependency-checks

ollie/mandatory-deny-paths

ollie/most-restrictive-if-not-set

ollie/rename-env

ollie/simplify-check-dependencies

ollie/unified-dependency-check

ollie/update-pointers

ollie/update-pointers-0.0.32

ollie/update-pointers-2

ollie/upgrade-lodash-es

ollie/upgrade-package-lock-0.0.2

ollie/upgrade-packagelock

release/v0.0.44

revert-pr-91

shawnm/tls-ca

shawnm/tls-terminate-leaf-minting

#1

#100

#101

#102

#107

#108

#109

#11

#110

#111

#112

#115

#115

#116

#117

#12

#120

#123

#123

#124

#124

#126

#127

#128

#128

#129

#129

#132

#132

#133

#133

#134

#134

#135

#135

#136

#136

#137

#138

#14

#140

#142

#142

#143

#144

#144

#146

#146

#15

#150

#150

#152

#152

#153

#155

#158

#158

#16

#162

#162

#163

#166

#167

#168

#169

#170

#172

#173

#173

#179

#179

#181

#181

#182

#183

#184

#186

#187

#189

#189

#190

#191

#192

#194

#195

#196

#197

#198

#199

#20

#200

#200

#201

#201

#202

#202

#203

#204

#205

#206

#208

#208

#209

#209

#21

#215

#215

#216

#216

#217

#217

#218

#218

#219

#219

#22

#220

#220

#222

#222

#223

#224

#224

#226

#227

#227

#228

#23

#230

#231

#231

#232

#233

#235

#236

#236

#237

#238

#239

#24

#240

#241

#242

#243

#244

#245

#246

#246

#247

#248

#248

#25

#26

#27

#28

#29

#31

#32

#32

#34

#35

#36

#37

#38

#39

#39

#40

#40

#42

#44

#45

#46

#47

#47

#48

#49

#5

#50

#51

#52

#52

#53

#54

#55

#57

#59

#60

#61

#63

#64

#66

#68

#7

#70

#71

#73

#77

#77

#80

#81

#82

#84

#86

#89

#89

#9

#90

#91

#92

#93

#94

#95

#96

#99

v0.0.38

v0.0.39

v0.0.40

v0.0.41

v0.0.42

v0.0.43

v0.0.44

v0.0.45

v0.0.46

v0.0.47

v0.0.48

v0.0.49

v0.0.50

a7fafaf532 test(terminating-tls): leaf-cert minting tests shawnm/tls-terminate-leaf-minting Shawn M Moore 2026-05-05 17:11:35 -07:00
7b7aada3e3 feat(terminating-tls): per-host leaf cert minting Shawn M Moore 2026-05-05 17:11:34 -07:00
e15986b0f3 feat(terminating-tls): Add opt-in configuration for providing CA cert and key (#247) main shawnm-anthropic 2026-05-05 16:29:11 -07:00
1eccdbdfac Add tests for tlsTerminate config and loadMitmCA shawnm/tls-ca Shawn M Moore 2026-05-05 16:04:52 -07:00
6206ff6d8c Wire tlsTerminate CA loader into SandboxManager.initialize() Shawn M Moore 2026-05-05 15:28:58 -07:00
9d0538cd5b Add opt-in configuration for providing CA cert and key Shawn M Moore 2026-05-05 15:23:08 -07:00
04baa776d6 docs(README): fix typo in section concerning security limitations (#167) v0.0.50 XTY 2026-05-06 06:19:51 +08:00
9e06e804cb fix(sandbox): set CLOUDSDK_PROXY_TYPE=http (was invalid "https") (#237) Dylan Conway 2026-05-05 15:15:35 -07:00
ccf4ea4649 ci: revert bun to 1.3.1 fix/gcloud-proxy-type Dylan Conway 2026-05-05 14:04:41 -07:00
06b5e5b87c fix(cli): make --debug flag set SRT_DEBUG (was setting DEBUG) (#238) Dylan Conway 2026-05-05 13:58:26 -07:00
c7e40bf04d fix(sandbox): only require ripgrep on Linux in checkDependencies() (#241) Dylan Conway 2026-05-05 13:58:00 -07:00
b16b240be4 fix(cli): shell-quote positional args instead of join(" ") (#239) Dylan Conway 2026-05-05 13:56:01 -07:00
1cb78b969c fix(sandbox): read CLAUDE_CODE_TMPDIR for TMPDIR (in addition to CLAUDE_TMPDIR) (#240) Dylan Conway 2026-05-05 13:55:17 -07:00
ffcb88f4ed DIAGNOSTIC: keep original 5s timeout, add +200ms exitCode probe diag/reset-hang Dylan Conway 2026-05-05 13:31:19 -07:00
776bf20293 DIAGNOSTIC: dump bridge /proc state around SIGTERM in reset() — DO NOT MERGE Dylan Conway 2026-05-05 13:24:55 -07:00
0a2aab24a9 Merge branch 'main' into fix/gcloud-proxy-type Dylan Conway 2026-05-05 13:15:34 -07:00
4438670249 Merge branch 'main' into fix/debug-flag-env-var fix/debug-flag-env-var Dylan Conway 2026-05-05 13:15:06 -07:00
863d943de1 Merge branch 'main' into fix/cli-positional-arg-quoting fix/cli-positional-arg-quoting Dylan Conway 2026-05-05 13:14:57 -07:00
ddeea79f6b Merge branch 'main' into fix/tmpdir-env-name fix/tmpdir-env-name Dylan Conway 2026-05-05 13:14:46 -07:00
cd93508998 Merge branch 'main' into fix/ripgrep-dep-linux-only fix/ripgrep-dep-linux-only Dylan Conway 2026-05-05 13:14:30 -07:00
703741b618 test(integration): use async spawn so the in-process proxy can respond; bump bun to 1.3.13 (#243) Dylan Conway 2026-05-05 13:14:19 -07:00
a5d4ff3636 test: move spawnAsync to shared helper, close stdin, convert remaining proxy tests fix/integration-spawnsync-deadlock Dylan Conway 2026-05-05 12:37:30 -07:00
88afcf7816 test(integration): use async spawn so the in-process proxy can respond Dylan Conway 2026-05-05 12:25:39 -07:00
2fbe8f8d6e Merge branch 'main' into fix/gcloud-proxy-type Dylan Conway 2026-05-05 12:01:38 -07:00
434b3d2ece Merge branch 'main' into fix/debug-flag-env-var Dylan Conway 2026-05-05 12:01:29 -07:00
cc1b2b7fc0 Merge branch 'main' into fix/cli-positional-arg-quoting Dylan Conway 2026-05-05 12:01:18 -07:00
e4f36090e6 Merge branch 'main' into fix/tmpdir-env-name Dylan Conway 2026-05-05 12:01:09 -07:00
c657aec94c Merge branch 'main' into fix/ripgrep-dep-linux-only Dylan Conway 2026-05-05 12:01:00 -07:00
fb436f7f08 test(integration): swap allowedDomains via updateConfig instead of reset+initialize (#242) Dylan Conway 2026-05-05 11:56:42 -07:00
d2545f2298 test(integration): swap allowedDomains via updateConfig instead of reset+initialize fix/wildcard-test-restructure Dylan Conway 2026-05-05 11:47:21 -07:00
66956f7c73 fix(sandbox): only require ripgrep on Linux in checkDependencies() Dylan Conway 2026-05-05 11:35:02 -07:00
12fabdba45 fix(sandbox): read CLAUDE_CODE_TMPDIR for TMPDIR (in addition to CLAUDE_TMPDIR) Dylan Conway 2026-05-05 11:33:47 -07:00
4d880e2692 fix(cli): shell-quote positional args instead of join(" ") Dylan Conway 2026-05-05 11:32:42 -07:00
bc1c435127 fix(cli): make --debug flag set SRT_DEBUG (was setting DEBUG) Dylan Conway 2026-05-05 11:31:33 -07:00
0d6d586230 fix(sandbox): set CLOUDSDK_PROXY_TYPE=http (was invalid "https") Dylan Conway 2026-05-05 11:25:16 -07:00
ed9085ba73 chore: bump version to 0.0.50 (#235) Octavian Guzu 2026-05-05 18:54:52 +01:00
0246170c9b Add bwrapPath and socatPath config overrides for Linux sandbox (#232) ant-kurt 2026-05-05 10:52:15 -07:00
796aab7317 Invoke sandbox-exec by absolute path (#233) ant-kurt 2026-05-05 10:49:53 -07:00
b89c53491a chore: bump version to 0.0.50 oct/v0.0.50 Octavian Guzu 2026-05-05 12:53:33 +00:00
a73f4a68b0 Invoke sandbox-exec by absolute path kurt/sandbox-exec-abs-path ant-kurt 2026-05-04 22:11:00 +00:00
79ad4e401e Add bwrapPath and socatPath config overrides for Linux sandbox kurt/sandbox-binary-paths ant-kurt 2026-05-04 22:10:07 +00:00
7a4172b08d fix(sandbox): deny file-write-create on protected ancestors in Seatbelt profile (#226) Octavian Guzu 2026-04-29 17:21:15 +01:00
22a54816b4 test: use canonical tmpdir so non-existent deny paths match Seatbelt's resolved syscall paths oct/fix-seatbelt-deny-create Octavian Guzu 2026-04-23 11:01:09 +00:00
97601041cb fix(sandbox): deny file-write-create on protected ancestors in Seatbelt profile Octavian Guzu 2026-04-23 10:51:54 +00:00
02c19c81a5 switch away from shellescape to fix issue with metacharacters jacques/replace-shell-quote Jacques Paye 2026-04-20 22:07:25 -04:00
7a725a314f Remove lodash-es dependency (#206) v0.0.49 Dylan Conway 2026-04-02 18:58:36 -07:00
c59eb541d2 Bump version to 0.0.49 dylan/remove-lodash-es Dylan Conway 2026-04-02 18:55:34 -07:00
5b0b722ad2 Remove lodash-es dependency Dylan Conway 2026-04-02 18:51:40 -07:00
bc3f0faa98 Bump to 0.0.48 and fix npm audit vulnerabilities (#205) v0.0.48 Dylan Conway 2026-04-02 18:38:11 -07:00
00344c522f Bump to 0.0.48 and fix npm audit vulnerabilities dylan/npm-audit-0.0.48 Dylan Conway 2026-04-02 17:53:25 -07:00
d3d27dd3a6 Add allowMachLookup config for additional macOS XPC services (#204) v0.0.47 Dylan Conway 2026-04-02 14:12:34 -07:00
687d3c0c6b Add allowMachLookup config for additional macOS XPC services dylan/allow-mach-lookup-config Dylan Conway 2026-04-02 13:45:35 -07:00
2dc232be92 Add seccomp argv0 mode for multicall-binary invocation (#203) Dylan Conway 2026-04-02 12:29:16 -07:00
ebe27b1551 Add seccomp argv0 mode for multicall-binary invocation dylan/seccomp-argv0-mode Dylan Conway 2026-04-02 12:13:09 -07:00
7f650392ee Bake BPF filter into apply-seccomp, build in CI (#199) Dylan Conway 2026-04-02 10:58:33 -07:00
8e1abaea44 Bump version to 0.0.47 dylan/ci-build-seccomp Dylan Conway 2026-04-02 09:22:28 -07:00
1e63b83a36 Remove stale references to on-disk BPF filter file Dylan Conway 2026-04-02 09:20:34 -07:00
835c9e4466 Build seccomp binaries in docker-tests CI job Dylan Conway 2026-04-02 09:09:19 -07:00
6aaf9f162d Bake BPF filter into apply-seccomp, build in CI Dylan Conway 2026-04-02 09:04:29 -07:00
16867c6286 Add tests for rm in allowWrite under denyRead ancestor (issue #171) (#198) Alice T'Poteat 2026-03-31 18:26:27 -07:00
59c53c30c4 Add tests for rm in allowWrite under denyRead ancestor (issue #171) atp/cc-1474-unlink-tests Alice Poteat 2026-03-31 16:02:19 -07:00
e4a34fefd9 Merge pull request #170 from carderne/fix-order-allow-read Alice T'Poteat 2026-03-31 16:17:06 -07:00
e94c5fd01d Run full test suite in CI and migrate platform skips to describe.if (#197) Dylan Conway 2026-03-31 15:36:39 -07:00
2d98d7271e Add explicit timeouts to update-config sandboxed-curl tests dylan/ci-full-suite Dylan Conway 2026-03-31 14:49:00 -07:00
a58d8f0e94 Add required network key to docker test config Dylan Conway 2026-03-31 14:18:10 -07:00
27c90d4808 Rename docker job to match other Tests jobs Dylan Conway 2026-03-31 14:10:21 -07:00
d07b8ba6ad Replace docker test-suite job with srt end-to-end test Dylan Conway 2026-03-31 14:07:49 -07:00
a42d9f8763 Replace mock.module with spyOn in linux-dependency-error tests Dylan Conway 2026-03-31 13:56:12 -07:00
646d9f64a7 Run full test suite in CI and migrate platform skips to describe.if Dylan Conway 2026-03-31 13:37:24 -07:00
ed5a909983 Fix enableWeakerNestedSandbox after apply-seccomp namespace changes (#196) v0.0.46 Dylan Conway 2026-03-31 12:56:06 -07:00
073b83a166 Remove CI step comment apply-seccomp-root-caller Dylan Conway 2026-03-31 12:35:55 -07:00
21206e6b73 Run mandatory-deny-paths tests in CI Dylan Conway 2026-03-31 12:33:54 -07:00
72e477b62d Fix enableWeakerNestedSandbox after apply-seccomp namespace changes Dylan Conway 2026-03-31 12:21:57 -07:00
bc1ab82928 Merge pull request #195 from anthropic-experimental/atp/cc-1468-denywrite-unmasks-denyread-regression v0.0.45 Alice T'Poteat 2026-03-31 11:30:10 -07:00
785809791c Sort denyRead paths shallow-first so file masks land after dir tmpfs atp/cc-1468-denywrite-unmasks-denyread-regression Alice Poteat 2026-03-31 11:12:36 -07:00
ebf2912770 Don't let denyWrite unmask a denyRead /dev/null bind; file-deny survives dir-allow Alice Poteat 2026-03-31 10:59:45 -07:00
18f2668b44 Defer bwrap mount point cleanup until concurrent sandboxes finish (#184) David Dworken 2026-03-30 17:18:35 -07:00
d403ec72c3 Merge remote-tracking branch 'origin/main' into dworken/fix-sandbox-dummy-file-race dworken/fix-sandbox-dummy-file-race Dylan Conway 2026-03-30 17:15:59 -07:00
7ee4ac602d Isolate seccomp workload in nested PID ns and block io_uring (#183) David Dworken 2026-03-30 17:07:40 -07:00
732a12a4c2 chore: bump version to 0.0.44 (#192) v0.0.44 Alice T'Poteat 2026-03-30 16:12:22 -07:00
d088d50811 chore: bump version to 0.0.44 release/v0.0.44 Alice Poteat 2026-03-30 16:05:49 -07:00
41a57927c7 fix: allow filesystem root traversal when denyRead includes '/' (#190) Alice T'Poteat 2026-03-30 15:42:43 -07:00
f16dbed1ba Narrow allowRead skip check to writes actually re-bound under this tmpfs atp/cc-1442-denyread-allowread-difficulty-re-sandbox-re-oracle Alice Poteat 2026-03-30 15:34:23 -07:00
7d8d39d369 Fix Linux test assumptions: seccomp binary path, ro-bind src+dest count Alice Poteat 2026-03-30 15:12:48 -07:00
ec028c4b14 Wire allow-read and wrap-with-sandbox tests into CI Alice Poteat 2026-03-30 15:08:29 -07:00
49eb1ff1a3 Dedup denyWrite entries post-normalization to prevent bwrap failure Alice Poteat 2026-03-30 14:29:57 -07:00
3cdb468014 Fix allowRead carve-outs when denyRead covers filesystem root Alice Poteat 2026-03-30 14:20:00 -07:00
fd74a3f012 Add upstream/parent HTTP proxy support to sandbox (#187) v0.0.43 Samuel Attard 2026-03-27 23:27:10 -04:00
31d59dbf8f Defer bwrap mount point cleanup until all concurrent sandboxes finish David Dworken 2026-03-24 21:05:10 +00:00
f232c64949 Exit inner init as soon as the worker exits dworken/seccomp-pid-ns-isolation David Dworken 2026-03-24 06:28:23 +00:00
7d2caccc91 Disable AppArmor userns restriction in CI instead of using setuid bwrap David Dworken 2026-03-24 06:26:06 +00:00
75322723ac Add --unshare-user so --cap-add works with setuid bwrap David Dworken 2026-03-24 06:22:48 +00:00
5d118663d9 chore: bump version to 0.0.44 David Dworken 2026-03-24 06:13:01 +00:00
f189449e2a Pass CAP_SYS_ADMIN to apply-seccomp and clear ambient caps before exec David Dworken 2026-03-24 06:12:54 +00:00
2cf7f84eee Merge origin/main into seccomp-pid-ns-isolation David Dworken 2026-03-24 06:09:22 +00:00
150dab7bf0 Isolate seccomp workload in nested PID namespace and block io_uring David Dworken 2026-03-24 04:42:07 +00:00
62e61c0e74 Sandbox hardening: TMPDIR write scope and seccomp arg comparison (#182) David Dworken 2026-03-23 17:41:10 -07:00
a511ac4326 Use 32-bit masked comparison for socket() domain argument in seccomp filter dworken/tmpdir-hardening David Dworken 2026-03-23 09:58:28 -07:00
1950d91cbc Harden macOS sandbox to only use the configured TMPDIR for writes David Dworken 2026-03-23 09:52:41 -07:00
62f306471a fix ordering for allow read within deny Chris Arderne 2026-03-09 20:09:26 +00:00

1 2 3 4 5 ...