Skip to content

fix(sandbox): harden seccomp, inference routing, and process limits #869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
johntmyers merged 4 commits into from
Apr 17, 2026
+24 −3
Merged

fix(sandbox): harden seccomp, inference routing, and process limits #869

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cd81700
fix(sandbox): block AF_NETLINK in seccomp unconditionally
johntmyers Apr 17, 2026
974049b
fix(sandbox): scope inference.local interception to port 443
johntmyers Apr 17, 2026
d952ed3
fix(sandbox): enforce RLIMIT_NPROC to prevent fork bomb DoS
johntmyers Apr 17, 2026
8e5cab5
chore(sandbox): fix rustfmt formatting for seccomp blocked_domains
johntmyers Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions crates/openshell-sandbox/src/process.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,22 @@ pub(crate) fn harden_child_process() -> Result<()> {
));
}

// Limit process creation to prevent fork bombs. 512 processes per UID is
// sufficient for typical agent workloads (shell, compilers, language servers)
// while preventing runaway forking. Set as a hard limit so the sandbox user
// cannot raise it after privilege drop.
let nproc_limit = libc::rlimit {
rlim_cur: 512,
rlim_max: 512,
};
let rc = unsafe { libc::setrlimit(libc::RLIMIT_NPROC, &nproc_limit) };
if rc != 0 {
return Err(miette::miette!(
"Failed to set RLIMIT_NPROC: {}",
std::io::Error::last_os_error()
));
}

#[cfg(target_os = "linux")]
{
let rc = unsafe { libc::prctl(libc::PR_SET_DUMPABLE, 0, 0, 0, 0) };
Expand Down
3 changes: 2 additions & 1 deletion crates/openshell-sandbox/src/proxy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ use tracing::{debug, warn};

const MAX_HEADER_BYTES: usize = 8192;
const INFERENCE_LOCAL_HOST: &str = "inference.local";
const INFERENCE_LOCAL_PORT: u16 = 443;

/// Maximum total bytes for a streaming inference response body (32 MiB).
const MAX_STREAMING_BODY: usize = 32 * 1024 * 1024;
Expand Down Expand Up @@ -354,7 +355,7 @@ async fn handle_tcp_connection(
let (host, port) = parse_target(target)?;
let host_lc = host.to_ascii_lowercase();

if host_lc == INFERENCE_LOCAL_HOST {
if host_lc == INFERENCE_LOCAL_HOST && port == INFERENCE_LOCAL_PORT {
respond(&mut client, b"HTTP/1.1 200 Connection Established\r\n\r\n").await?;
let outcome = handle_inference_interception(
client,
Expand Down
8 changes: 6 additions & 2 deletions crates/openshell-sandbox/src/sandbox/linux/seccomp.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,11 +112,15 @@ fn build_filter_rules(allow_inet: bool) -> Result<BTreeMap<i64, Vec<SeccompRule>
let mut rules: BTreeMap<i64, Vec<SeccompRule>> = BTreeMap::new();

// --- Socket domain blocks ---
let mut blocked_domains = vec![libc::AF_PACKET, libc::AF_BLUETOOTH, libc::AF_VSOCK];
let mut blocked_domains = vec![
libc::AF_PACKET,
libc::AF_BLUETOOTH,
libc::AF_VSOCK,
libc::AF_NETLINK,
];
if !allow_inet {
blocked_domains.push(libc::AF_INET);
blocked_domains.push(libc::AF_INET6);
blocked_domains.push(libc::AF_NETLINK);
}

for domain in blocked_domains {
Expand Down
Loading