@voratiq/sandbox-runtime 0.0.29-voratiq0

package/package.json

@@ -0,0 +1,90 @@
+{
+  "name": "@voratiq/sandbox-runtime",
+  "version": "0.0.29-voratiq0",
+  "description": "(Voratiq-maintained fork of the) Anthropic Sandbox Runtime (ASRT) - A general-purpose tool for wrapping security boundaries around arbitrary processes",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": {
+    "srt": "dist/cli.js"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "postbuild": "[ -d vendor ] && cp -r vendor dist/ || true",
+    "build:seccomp": "scripts/build-seccomp-binaries.sh",
+    "clean": "rm -rf dist",
+    "test": "bun test",
+    "test:unit": "bun test test/config-validation.test.ts test/sandbox/seccomp-filter.test.ts",
+    "test:integration": "bun test test/sandbox/integration.test.ts",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint 'src/**/*.ts' --fix --cache --cache-location=node_modules/.cache/.eslintcache",
+    "lint:check": "eslint 'src/**/*.ts' --cache --cache-location=node_modules/.cache/.eslintcache",
+    "format": "prettier --write 'src/**/*.ts' --cache --log-level warn",
+    "prepublishOnly": "npm run clean && npm run build",
+    "prepare": "husky"
+  },
+  "dependencies": {
+    "@pondwader/socks5-server": "^1.0.10",
+    "@types/lodash-es": "^4.17.12",
+    "commander": "^12.1.0",
+    "lodash-es": "^4.17.21",
+    "shell-quote": "^1.8.3",
+    "zod": "^3.24.1"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.14.0",
+    "@types/bun": "^1.3.2",
+    "@types/node": "^18",
+    "@types/shell-quote": "^1.7.5",
+    "eslint": "^9.14.0",
+    "eslint-config-prettier": "^8.10.0",
+    "eslint-import-resolver-typescript": "^3.6.3",
+    "eslint-plugin-import": "^2.31.0",
+    "eslint-plugin-n": "^17.16.2",
+    "eslint-plugin-prettier": "^5.1.3",
+    "globals": "^15.12.0",
+    "husky": "^9.1.7",
+    "lint-staged": "^16.2.6",
+    "prettier": "3.3.3",
+    "typescript": "^5.6.3",
+    "typescript-eslint": "^8.13.0"
+  },
+  "files": [
+    "dist",
+    "vendor",
+    "CHANGELOG.md",
+    "README.md",
+    "LICENSE",
+    "NOTICE"
+  ],
+  "keywords": [
+    "sandbox",
+    "seatbelt",
+    "sandbox-exec",
+    "anthropic",
+    "claude",
+    "security",
+    "bubblewrap",
+    "network-filtering",
+    "filesystem-restrictions"
+  ],
+  "author": "Voratiq",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/voratiq/sandbox-runtime.git"
+  },
+  "bugs": {
+    "url": "https://github.com/voratiq/sandbox-runtime/issues"
+  },
+  "homepage": "https://github.com/voratiq/sandbox-runtime#readme",
+  "lint-staged": {
+    "*.ts": [
+      "eslint --fix --cache --cache-location=node_modules/.cache/.eslintcache",
+      "prettier --write"
+    ]
+  }
+}

package/vendor/seccomp-src/apply-seccomp.c

@@ -0,0 +1,98 @@
+/*
+ * apply-seccomp.c - Apply seccomp BPF filter and exec command
+ *
+ * Usage: apply-seccomp <filter.bpf> <command> [args...]
+ *
+ * This program reads a pre-compiled BPF filter from a file, applies it
+ * using prctl(PR_SET_SECCOMP), and then execs the specified command.
+ *
+ * The BPF filter must be in the format expected by SECCOMP_MODE_FILTER:
+ * - struct sock_fprog { unsigned short len; struct sock_filter *filter; }
+ * - Each filter instruction is 8 bytes (BPF instruction format)
+ *
+ * Compile: gcc -static -O2 -o apply-seccomp apply-seccomp.c
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/prctl.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+#include <errno.h>
+
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#ifndef SECCOMP_MODE_FILTER
+#define SECCOMP_MODE_FILTER 2
+#endif
+
+#define MAX_FILTER_SIZE 4096  // Maximum BPF filter size in bytes
+
+int main(int argc, char *argv[], char *envp[]) {
+    if (argc < 3) {
+        fprintf(stderr, "Usage: %s <filter.bpf> <command> [args...]\n", argv[0]);
+        return 1;
+    }
+
+    const char *filter_path = argv[1];
+    char **command_argv = &argv[2];
+
+    // Open and read BPF filter file
+    int fd = open(filter_path, O_RDONLY);
+    if (fd < 0) {
+        perror("Failed to open BPF filter file");
+        return 1;
+    }
+
+    // Read filter into memory
+    unsigned char filter_bytes[MAX_FILTER_SIZE];
+    ssize_t filter_size = read(fd, filter_bytes, MAX_FILTER_SIZE);
+    close(fd);
+
+    if (filter_size < 0) {
+        perror("Failed to read BPF filter");
+        return 1;
+    }
+    if (filter_size == 0) {
+        fprintf(stderr, "BPF filter file is empty\n");
+        return 1;
+    }
+    if (filter_size % 8 != 0) {
+        fprintf(stderr, "Invalid BPF filter size: %zd (must be multiple of 8)\n", filter_size);
+        return 1;
+    }
+
+    // Convert bytes to sock_filter instructions
+    unsigned short filter_len = filter_size / 8;
+    struct sock_filter *filter = (struct sock_filter *)filter_bytes;
+
+    // Set up sock_fprog structure
+    struct sock_fprog prog = {
+        .len = filter_len,
+        .filter = filter,
+    };
+
+    // Set NO_NEW_PRIVS to allow seccomp without CAP_SYS_ADMIN
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
+        perror("prctl(PR_SET_NO_NEW_PRIVS) failed");
+        return 1;
+    }
+
+    // Apply seccomp filter
+    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) != 0) {
+        perror("prctl(PR_SET_SECCOMP) failed");
+        return 1;
+    }
+
+    // Exec the command with seccomp filter active
+    execvp(command_argv[0], command_argv);
+
+    // If we get here, exec failed
+    perror("execvp failed");
+    return 1;
+}

package/vendor/seccomp-src/seccomp-unix-block.c

@@ -0,0 +1,97 @@
+/*
+ * Seccomp BPF filter generator to block Unix domain socket creation
+ *
+ * This program generates a seccomp-bpf filter that blocks the socket() syscall
+ * when called with AF_UNIX as the domain argument. This prevents creation of
+ * Unix domain sockets while allowing all other socket types (AF_INET, AF_INET6, etc.)
+ * and all other syscalls.
+ *
+ * The filter is exported in a format compatible with bubblewrap's --seccomp flag.
+ *
+ * SECURITY LIMITATION - 32-bit x86 (ia32):
+ * TODO: This filter does NOT block socketcall() syscall, which is a security issue
+ * on 32-bit x86 systems. On ia32, the socket() syscall doesn't exist - instead,
+ * all socket operations are multiplexed through socketcall():
+ *   - socketcall(SYS_SOCKET, [AF_UNIX, ...]) - can bypass this filter
+ *   - socketcall(SYS_SOCKETPAIR, [AF_UNIX, ...]) - can bypass this filter
+ *
+ * To fix this, we need to add conditional rules that:
+ * 1. Check if socketcall() exists on the current architecture (32-bit x86 only)
+ * 2. Block socketcall(SYS_SOCKET, ...) when first arg of sub-call is AF_UNIX
+ * 3. Block socketcall(SYS_SOCKETPAIR, ...) when first arg of sub-call is AF_UNIX
+ *
+ * This requires inspecting the arguments passed to socketcall, which is more
+ * complex BPF logic. For now, 32-bit x86 is not supported.
+ *
+ * Compilation:
+ *   gcc -o seccomp-unix-block seccomp-unix-block.c -lseccomp
+ *
+ * Usage:
+ *   ./seccomp-unix-block <output-file>
+ *
+ * Dependencies:
+ *   - libseccomp (libseccomp-dev package on Debian/Ubuntu)
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+int main(int argc, char *argv[]) {
+    scmp_filter_ctx ctx;
+    int rc;
+
+    if (argc != 2) {
+        fprintf(stderr, "Usage: %s <output-file>\n", argv[0]);
+        return 1;
+    }
+
+    const char *output_file = argv[1];
+
+    /* Create seccomp context with default action ALLOW */
+    ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (ctx == NULL) {
+        fprintf(stderr, "Error: Failed to initialize seccomp context\n");
+        return 1;
+    }
+
+    /* Add rule to block socket(AF_UNIX, ...) */
+    /* socket() syscall signature: int socket(int domain, int type, int protocol) */
+    /* arg0 = domain (AF_UNIX = 1) */
+    rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 1,
+                          SCMP_A0(SCMP_CMP_EQ, AF_UNIX));
+    if (rc < 0) {
+        fprintf(stderr, "Error: Failed to add seccomp rule: %s\n", strerror(-rc));
+        seccomp_release(ctx);
+        return 1;
+    }
+
+    /* Export the filter to a file */
+    int fd = open(output_file, O_CREAT | O_WRONLY | O_TRUNC, 0600);
+    if (fd < 0) {
+        fprintf(stderr, "Error: Failed to open output file: %s\n", strerror(errno));
+        seccomp_release(ctx);
+        return 1;
+    }
+
+    rc = seccomp_export_bpf(ctx, fd);
+    if (rc < 0) {
+        fprintf(stderr, "Error: Failed to export seccomp filter: %s\n", strerror(-rc));
+        close(fd);
+        seccomp_release(ctx);
+        return 1;
+    }
+
+    /* Clean up */
+    close(fd);
+    seccomp_release(ctx);
+
+    return 0;
+}