fix: keep agent socket runtime network-isolated#74
Open
LIghtJUNction wants to merge 1 commit into
Open
Conversation
There was a problem hiding this comment.
Sorry @LIghtJUNction, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
allow <subject> network:default connect, and the bootstrap produced that rule for default reference agents, which yielded unrestricted host-network egress for bootstrapped agents.--unshare-net.Description
network:default connectgrant from the generated reference agent policy inreference_agent_policyso bootstrapped agents no longer receive that coarse network permission by default. (crates/cortexfs/src/reference_tree_bootstrap.rs)--unshare-netin the bwrap argument builder used by the socket runtime so the sandbox remains network-isolated regardless of coarse policy bits. (crates/cortexfs/src/socket_runtime.rs, functionagent_executable_socket_bwrap_args)network:default connectis a coarse capability and must not by itself remove sandbox network namespace isolation. (crates/cortexfs/docs/spec/tool-policy-abi.md)--unshare-netis present in the produced bwrap args. (tests undercrates/cortexfs/tests/unit/lib/)Testing
cargo test -p cortexfs --lib reference_tree_bootstrapand the reference-tree bootstrap tests passed.cargo test -p cortexfs --lib agent_executable_socket_bwrap_argsand the bwrap-args/unit tests asserting network isolation passed.cargo test -p cortexfs --libto exercise the updated unit test set and the targeted tests completed successfully.cargo fmtandgit diff --checkto validate formatting and diffs with no issues.Codex Task