tweek 0.1.0__py3-none-any.whl

tweek/sandbox/executor.py

@@ -0,0 +1,382 @@
+#!/usr/bin/env python3
+"""
+Tweek Sandbox Executor
+
+Executes commands in a macOS sandbox for preview/speculative execution.
+Captures file accesses, network attempts, and process spawns.
+
+Usage:
+    executor = SandboxExecutor()
+    result = executor.preview_command("curl http://evil.com", skill="my-skill")
+
+    if result.suspicious:
+        print("Blocked:", result.violations)
+"""
+
+import os
+import subprocess
+import tempfile
+import json
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import List, Optional, Dict, Any
+import re
+
+from .profile_generator import ProfileGenerator, SkillManifest
+
+
+@dataclass
+class ExecutionResult:
+    """Result of a sandboxed command execution."""
+
+    # Basic execution info
+    exit_code: int
+    stdout: str
+    stderr: str
+    timed_out: bool = False
+
+    # Security analysis
+    suspicious: bool = False
+    violations: List[str] = field(default_factory=list)
+
+    # Captured access attempts
+    file_reads: List[str] = field(default_factory=list)
+    file_writes: List[str] = field(default_factory=list)
+    network_attempts: List[str] = field(default_factory=list)
+    process_spawns: List[str] = field(default_factory=list)
+
+    # Denied operations (blocked by sandbox)
+    denied_operations: List[str] = field(default_factory=list)
+
+
+class SandboxExecutor:
+    """Executes commands in a sandbox and analyzes their behavior."""
+
+    # Sensitive paths that trigger suspicion
+    SENSITIVE_PATHS = [
+        r"\.ssh",
+        r"\.aws",
+        r"\.gnupg",
+        r"\.netrc",
+        r"\.env",
+        r"credentials",
+        r"\.kube/config",
+        r"\.config/gcloud",
+        r"keychain",
+        r"Cookies",
+        r"Login Data",
+    ]
+
+    # Suspicious network patterns
+    SUSPICIOUS_HOSTS = [
+        r"pastebin\.com",
+        r"hastebin\.com",
+        r"ghostbin\.",
+        r"0x0\.st",
+        r"transfer\.sh",
+        r"file\.io",
+        r"webhook\.site",
+        r"requestbin\.",
+        r"ngrok\.io",
+    ]
+
+    def __init__(self, profiles_dir: Optional[Path] = None):
+        """Initialize the executor."""
+        self.generator = ProfileGenerator(profiles_dir=profiles_dir)
+        self._check_sandbox_available()
+
+    def _check_sandbox_available(self) -> bool:
+        """Check if sandbox-exec is available."""
+        return Path("/usr/bin/sandbox-exec").exists()
+
+    def preview_command(
+        self,
+        command: str,
+        skill: str = "preview",
+        timeout: float = 5.0,
+        env: Optional[Dict[str, str]] = None,
+        cwd: Optional[Path] = None,
+    ) -> ExecutionResult:
+        """
+        Execute a command in a restrictive sandbox for preview.
+
+        This runs the command with limited permissions to see what it
+        TRIES to do, without actually allowing dangerous operations.
+
+        Args:
+            command: Shell command to execute
+            skill: Skill name for profile (uses restrictive preview profile)
+            timeout: Max execution time in seconds
+            env: Additional environment variables
+            cwd: Working directory
+
+        Returns:
+            ExecutionResult with captured behavior
+        """
+        # Log the start of preview
+        try:
+            from tweek.logging.security_log import get_logger, SecurityEvent, EventType
+            get_logger().log(SecurityEvent(
+                event_type=EventType.SANDBOX_PREVIEW,
+                tool_name="sandbox_executor",
+                decision="allow",
+                metadata={
+                    "command": command,
+                    "skill": skill,
+                    "timeout": timeout,
+                },
+                source="sandbox",
+            ))
+        except Exception:
+            pass
+
+        try:
+            # Create a restrictive preview manifest
+            # Must allow enough for basic shell operations
+            manifest = SkillManifest(
+                name=f"preview-{skill}",
+                read_paths=[
+                    "./",
+                    "/usr/lib",
+                    "/usr/local/lib",
+                    "/System",
+                    "/bin",
+                    "/usr/bin",
+                    "/private/var/db",
+                    "/dev",
+                    "/Library/Preferences",
+                    "/var/folders",  # Temp files
+                ],
+                write_paths=[
+                    "/dev/null",
+                    "/dev/stdout",
+                    "/dev/stderr",
+                    "/private/var/folders",  # Temp files
+                ],
+                deny_paths=[
+                    "~/.ssh", "~/.aws", "~/.gnupg", "~/.netrc",
+                    "~/.env", "**/.env", "~/.kube", "~/.config/gcloud",
+                ],
+                network_deny_all=True,
+                allow_subprocess=True,  # Needed for basic shell operations
+                allow_exec=["/bin/bash", "/bin/sh", "/usr/bin/env", "/bin/echo"],
+            )
+
+            # Generate and save the profile
+            profile_path = self.generator.save(manifest)
+
+            # Build the sandboxed command
+            sandboxed_cmd = f'sandbox-exec -f "{profile_path}" /bin/bash -c {self._shell_quote(command)}'
+
+            # Set up environment
+            run_env = os.environ.copy()
+            if env:
+                run_env.update(env)
+
+            # Execute with timeout
+            result = ExecutionResult(exit_code=-1, stdout="", stderr="")
+
+            try:
+                proc = subprocess.run(
+                    sandboxed_cmd,
+                    shell=True,
+                    capture_output=True,
+                    text=True,
+                    timeout=timeout,
+                    cwd=cwd,
+                    env=run_env,
+                )
+
+                result.exit_code = proc.returncode
+                result.stdout = proc.stdout
+                result.stderr = proc.stderr
+
+            except subprocess.TimeoutExpired:
+                result.timed_out = True
+                result.violations.append(f"Command timed out after {timeout}s")
+                result.suspicious = True
+
+            except Exception as e:
+                result.stderr = str(e)
+                result.exit_code = -1
+
+            # Analyze the output for sandbox violations
+            self._analyze_sandbox_output(result, command)
+
+            # Log violations if detected
+            if result.suspicious:
+                try:
+                    from tweek.logging.security_log import get_logger, SecurityEvent, EventType
+                    get_logger().log(SecurityEvent(
+                        event_type=EventType.SANDBOX_PREVIEW,
+                        tool_name="sandbox_executor",
+                        decision="block",
+                        metadata={
+                            "command": command,
+                            "skill": skill,
+                            "violations": result.violations,
+                        },
+                        source="sandbox",
+                    ))
+                except Exception:
+                    pass
+
+            # Clean up preview profile
+            self.generator.delete_profile(f"preview-{skill}")
+
+            return result
+
+        except Exception as exc:
+            # Log unexpected errors - never break the original operation
+            try:
+                from tweek.logging.security_log import get_logger, SecurityEvent, EventType
+                get_logger().log(SecurityEvent(
+                    event_type=EventType.ERROR,
+                    tool_name="sandbox_executor",
+                    decision="error",
+                    metadata={
+                        "command": command,
+                        "skill": skill,
+                        "error": str(exc),
+                        "error_type": type(exc).__name__,
+                    },
+                    source="sandbox",
+                ))
+            except Exception:
+                pass
+            raise
+
+    def _shell_quote(self, s: str) -> str:
+        """Quote a string for shell use."""
+        return "'" + s.replace("'", "'\"'\"'") + "'"
+
+    def _analyze_sandbox_output(self, result: ExecutionResult, command: str) -> None:
+        """Analyze execution results for suspicious behavior."""
+
+        # Check stderr for sandbox denials
+        denial_pattern = r"sandbox-exec: .* deny"
+        denials = re.findall(denial_pattern, result.stderr, re.IGNORECASE)
+        result.denied_operations.extend(denials)
+
+        # Check for sensitive path access attempts in command
+        for pattern in self.SENSITIVE_PATHS:
+            if re.search(pattern, command, re.IGNORECASE):
+                result.violations.append(f"Attempts to access sensitive path: {pattern}")
+                result.suspicious = True
+
+        # Check for suspicious network destinations in command
+        for pattern in self.SUSPICIOUS_HOSTS:
+            if re.search(pattern, command, re.IGNORECASE):
+                result.violations.append(f"Attempts to contact suspicious host: {pattern}")
+                result.suspicious = True
+
+        # Check for data exfiltration patterns
+        exfil_patterns = [
+            (r"curl.*-d.*\$\(", "Potential data exfiltration via curl POST"),
+            (r"wget.*--post-data", "Potential data exfiltration via wget POST"),
+            (r"\| *nc ", "Piping data to netcat"),
+            (r"\| *curl", "Piping data to curl"),
+            (r"base64.*\|.*curl", "Base64 encoding and sending data"),
+        ]
+
+        for pattern, description in exfil_patterns:
+            if re.search(pattern, command, re.IGNORECASE):
+                result.violations.append(description)
+                result.suspicious = True
+
+        # Mark as suspicious if sandbox blocked operations
+        if result.denied_operations:
+            result.suspicious = True
+            result.violations.append(f"Sandbox blocked {len(result.denied_operations)} operations")
+
+    def execute_sandboxed(
+        self,
+        command: str,
+        skill: str,
+        manifest: Optional[SkillManifest] = None,
+        timeout: float = 30.0,
+        env: Optional[Dict[str, str]] = None,
+        cwd: Optional[Path] = None,
+    ) -> ExecutionResult:
+        """
+        Execute a command in a sandbox with skill-specific permissions.
+
+        Unlike preview_command, this uses the skill's actual manifest
+        permissions and allows the command to run with appropriate access.
+
+        Args:
+            command: Shell command to execute
+            skill: Skill name for profile lookup
+            manifest: Optional manifest (uses existing or default if not provided)
+            timeout: Max execution time in seconds
+            env: Additional environment variables
+            cwd: Working directory
+
+        Returns:
+            ExecutionResult with execution details
+        """
+        # Get or create profile
+        profile_path = self.generator.get_profile_path(skill)
+
+        if profile_path is None:
+            if manifest:
+                profile_path = self.generator.save(manifest)
+            else:
+                # Use default restrictive profile
+                manifest = SkillManifest.default(skill)
+                profile_path = self.generator.save(manifest)
+
+        # Build sandboxed command
+        sandboxed_cmd = f'sandbox-exec -f "{profile_path}" /bin/bash -c {self._shell_quote(command)}'
+
+        # Set up environment
+        run_env = os.environ.copy()
+        if env:
+            run_env.update(env)
+
+        # Execute
+        result = ExecutionResult(exit_code=-1, stdout="", stderr="")
+
+        try:
+            proc = subprocess.run(
+                sandboxed_cmd,
+                shell=True,
+                capture_output=True,
+                text=True,
+                timeout=timeout,
+                cwd=cwd,
+                env=run_env,
+            )
+
+            result.exit_code = proc.returncode
+            result.stdout = proc.stdout
+            result.stderr = proc.stderr
+
+        except subprocess.TimeoutExpired:
+            result.timed_out = True
+            result.violations.append(f"Command timed out after {timeout}s")
+
+        except Exception as e:
+            result.stderr = str(e)
+            result.exit_code = -1
+
+        # Analyze output
+        self._analyze_sandbox_output(result, command)
+
+        return result
+
+    def get_sandbox_command(self, command: str, skill: str) -> str:
+        """
+        Get the sandbox-wrapped version of a command.
+
+        This doesn't execute anything, just returns what the
+        sandboxed command would look like.
+
+        Args:
+            command: Original command
+            skill: Skill name
+
+        Returns:
+            Sandbox-wrapped command string
+        """
+        return self.generator.wrap_command(command, skill)

tweek/sandbox/linux.py

@@ -0,0 +1,278 @@
+"""
+Linux sandbox implementation using firejail.
+
+Firejail is a SUID sandbox program that uses Linux namespaces,
+seccomp-bpf, and capabilities to restrict process execution.
+
+If firejail is not available, falls back to bubblewrap (bwrap)
+which is often installed with Flatpak.
+"""
+
+import shutil
+import subprocess
+from dataclasses import dataclass
+from typing import Optional
+
+from tweek.platform import IS_LINUX, get_linux_package_manager
+
+
+@dataclass
+class SandboxResult:
+    """Result of a sandboxed command execution."""
+    success: bool
+    exit_code: int
+    stdout: str
+    stderr: str
+    blocked_actions: list[str]
+
+
+class LinuxSandbox:
+    """
+    Linux sandbox using firejail or bubblewrap.
+
+    Provides similar functionality to macOS sandbox-exec:
+    - Restrict network access
+    - Restrict filesystem access
+    - Restrict process capabilities
+    """
+
+    def __init__(self):
+        self.tool = self._detect_tool()
+
+    def _detect_tool(self) -> Optional[str]:
+        """Detect available sandbox tool."""
+        if shutil.which("firejail"):
+            return "firejail"
+        elif shutil.which("bwrap"):
+            return "bubblewrap"
+        return None
+
+    @property
+    def available(self) -> bool:
+        """Check if sandbox is available."""
+        return self.tool is not None
+
+    def get_install_command(self) -> Optional[str]:
+        """Get command to install firejail."""
+        pkg_info = get_linux_package_manager()
+        if pkg_info:
+            _, command = pkg_info
+            return " ".join(command)
+        return None
+
+    def _build_firejail_command(
+        self,
+        command: str,
+        allow_network: bool = False,
+        allow_write: bool = False,
+        timeout: int = 30
+    ) -> list[str]:
+        """Build firejail command with restrictions."""
+        args = [
+            "firejail",
+            "--noprofile",          # Don't use app-specific profile
+            "--quiet",              # Reduce output noise
+            "--caps.drop=all",      # Drop all capabilities
+            "--noroot",             # No root privileges
+            "--seccomp",            # Enable seccomp filters
+            "--private-tmp",        # Isolated /tmp
+            "--nogroups",           # No supplementary groups
+        ]
+
+        if not allow_network:
+            args.append("--net=none")
+
+        if not allow_write:
+            args.extend([
+                "--read-only=/",
+                "--read-write=/tmp",
+                "--read-write=/dev/null",
+                "--read-write=/dev/zero",
+            ])
+
+        args.extend([
+            f"--timeout={timeout}",
+            "bash", "-c", command
+        ])
+
+        return args
+
+    def _build_bubblewrap_command(
+        self,
+        command: str,
+        allow_network: bool = False,
+        allow_write: bool = False,
+        timeout: int = 30
+    ) -> list[str]:
+        """Build bubblewrap command with restrictions."""
+        args = [
+            "bwrap",
+            "--ro-bind", "/", "/",          # Read-only root
+            "--dev", "/dev",                 # Minimal /dev
+            "--proc", "/proc",               # /proc filesystem
+            "--tmpfs", "/tmp",               # Isolated /tmp
+            "--unshare-all",                 # Unshare all namespaces
+            "--die-with-parent",             # Clean up on parent exit
+            "--new-session",                 # New session
+        ]
+
+        if not allow_network:
+            args.append("--unshare-net")
+
+        if allow_write:
+            # Re-bind specific paths as read-write
+            args.extend(["--bind", "/tmp", "/tmp"])
+
+        args.extend(["bash", "-c", command])
+
+        # Wrap with timeout
+        return ["timeout", str(timeout)] + args
+
+    def preview_command(
+        self,
+        command: str,
+        allow_network: bool = False,
+        allow_write: bool = False,
+        timeout: int = 10
+    ) -> SandboxResult:
+        """
+        Run a command in the sandbox and capture what it tries to do.
+
+        This is used for "preview" mode where we want to see what
+        a command would do before allowing it.
+        """
+        if not self.available:
+            return SandboxResult(
+                success=False,
+                exit_code=-1,
+                stdout="",
+                stderr="Sandbox not available",
+                blocked_actions=[]
+            )
+
+        if self.tool == "firejail":
+            sandbox_cmd = self._build_firejail_command(
+                command, allow_network, allow_write, timeout
+            )
+        else:
+            sandbox_cmd = self._build_bubblewrap_command(
+                command, allow_network, allow_write, timeout
+            )
+
+        try:
+            result = subprocess.run(
+                sandbox_cmd,
+                capture_output=True,
+                text=True,
+                timeout=timeout + 5  # Extra buffer
+            )
+
+            blocked = self._parse_blocked_actions(result.stderr)
+
+            return SandboxResult(
+                success=result.returncode == 0,
+                exit_code=result.returncode,
+                stdout=result.stdout,
+                stderr=result.stderr,
+                blocked_actions=blocked
+            )
+
+        except subprocess.TimeoutExpired:
+            return SandboxResult(
+                success=False,
+                exit_code=-1,
+                stdout="",
+                stderr="Command timed out",
+                blocked_actions=["timeout"]
+            )
+        except Exception as e:
+            return SandboxResult(
+                success=False,
+                exit_code=-1,
+                stdout="",
+                stderr=str(e),
+                blocked_actions=[]
+            )
+
+    def _parse_blocked_actions(self, stderr: str) -> list[str]:
+        """Parse sandbox output to find blocked actions."""
+        blocked = []
+
+        # Firejail patterns
+        if "Permission denied" in stderr:
+            blocked.append("permission_denied")
+        if "Network is disabled" in stderr or "No network" in stderr:
+            blocked.append("network_blocked")
+        if "Read-only file system" in stderr:
+            blocked.append("write_blocked")
+        if "Operation not permitted" in stderr:
+            blocked.append("operation_blocked")
+
+        return blocked
+
+
+def prompt_install_firejail(console) -> bool:
+    """
+    Prompt user to install firejail for sandbox support.
+
+    Args:
+        console: Rich console for output
+
+    Returns:
+        True if firejail is now available, False otherwise
+    """
+    from rich.prompt import Confirm
+
+    if not IS_LINUX:
+        return False
+
+    if shutil.which("firejail"):
+        return True  # Already installed
+
+    console.print("\n[yellow]Sandbox not available[/yellow]")
+    console.print("Firejail provides sandbox preview for dangerous commands.")
+    console.print("Without it, Tweek still provides 4/5 defense layers.\n")
+
+    pkg_info = get_linux_package_manager()
+
+    if not pkg_info:
+        console.print("[dim]Could not detect package manager.[/dim]")
+        console.print("Install firejail manually: https://firejail.wordpress.com/download-2/")
+        return False
+
+    manager, command = pkg_info
+    console.print(f"[dim]Detected package manager: {manager}[/dim]")
+    console.print(f"[dim]Command: {' '.join(command)}[/dim]\n")
+
+    if Confirm.ask("Install firejail for full sandbox protection?", default=False):
+        try:
+            console.print("[cyan]Installing firejail...[/cyan]")
+            subprocess.run(command, check=True)
+
+            # Verify installation
+            if shutil.which("firejail"):
+                console.print("[green]Firejail installed successfully![/green]")
+                return True
+            else:
+                console.print("[red]Installation completed but firejail not found in PATH[/red]")
+                return False
+
+        except subprocess.CalledProcessError as e:
+            console.print(f"[red]Installation failed (exit code {e.returncode})[/red]")
+            console.print("[dim]Try running the install command manually with sudo[/dim]")
+            return False
+        except KeyboardInterrupt:
+            console.print("\n[yellow]Installation cancelled.[/yellow]")
+            return False
+    else:
+        console.print("[dim]Skipping firejail. Sandbox layer will be disabled.[/dim]")
+        return False
+
+
+def get_sandbox() -> Optional[LinuxSandbox]:
+    """Get a Linux sandbox instance if available."""
+    if not IS_LINUX:
+        return None
+
+    sandbox = LinuxSandbox()
+    return sandbox if sandbox.available else None