From 8cbecb13635ef4ae2bd480d87953582525ac9b57 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 12:47:40 +0000 Subject: [PATCH 1/2] Initial plan From c2ef7411d2fa7a66524404d669d61237aaa4f429 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 12:52:31 +0000 Subject: [PATCH 2/2] Fix sandbox documentation inconsistencies - Update README to list all denied directories (was missing ~/.kube, ~/.npmrc, ~/.pypirc, ~/.netrc) - Add comprehensive [sandbox] configuration section to config.example.toml - All claims verified to match implementation Co-authored-by: yiwang <142937+yiwang@users.noreply.github.com> --- README.md | 2 +- config.example.toml | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4b8d31b9..e151ab56 100644 --- a/README.md +++ b/README.md @@ -174,7 +174,7 @@ Every shell command the agent runs is executed inside an OS-level sandbox: | **macOS** | Seatbelt (SBPL) | Filesystem allow-listing, network denial | | **All** | rlimits | 120s timeout, 1MB output cap, 50MB file size, 64 process limit | -The sandbox denies access to sensitive directories (`~/.ssh`, `~/.aws`, `~/.gnupg`, `~/.docker`) and blocks all network syscalls by default. Configure extra paths as needed: +The sandbox denies access to sensitive directories including `~/.ssh`, `~/.aws`, `~/.gnupg`, `~/.docker`, `~/.kube`, and credential files (`~/.npmrc`, `~/.pypirc`, `~/.netrc`). It blocks all network syscalls by default. Configure extra paths as needed: ```toml [sandbox] diff --git a/config.example.toml b/config.example.toml index 2e2972f0..e11eebc3 100644 --- a/config.example.toml +++ b/config.example.toml @@ -201,6 +201,43 @@ bind = "127.0.0.1" # enabled = true # api_token = "${TELEGRAM_BOT_TOKEN}" +# Sandbox configuration for shell command isolation +# Every tool-executed shell command runs in a kernel-enforced sandbox +[sandbox] +# Enable sandbox (default: true) +enabled = true + +# Sandbox enforcement level (default: "auto") +# Options: +# - "auto" — Use highest available level for your platform +# - "full" — Landlock V4+ + seccomp + userns (Linux only) +# - "standard" — Landlock V1+ + seccomp (Linux) or Seatbelt (macOS) +# - "minimal" — seccomp network blocking only (Linux) +# - "none" — rlimits only, no filesystem or network isolation +level = "auto" + +# Command timeout (default: 120 seconds) +timeout_secs = 120 + +# Maximum stdout+stderr bytes (default: 1MB = 1048576) +max_output_bytes = 1048576 + +# Maximum file size via RLIMIT_FSIZE (default: 50MB = 52428800) +max_file_size_bytes = 52428800 + +# Maximum child processes via RLIMIT_NPROC (default: 64) +max_processes = 64 + +# Network policy (default: "deny") +# Options: "deny" (block all network) or "proxy" (future: allow via socket) +[sandbox.network] +policy = "deny" + +# Additional filesystem access beyond workspace and system directories +# [sandbox.allow_paths] +# read = ["/opt/data", "/mnt/shared"] +# write = ["/tmp/scratch"] + [security] # LocalGPT injects a security block at the end of every LLM context window. # The block has two independent layers: