-
-
Notifications
You must be signed in to change notification settings - Fork 78
Expand file tree
/
Copy pathclj-sandbox-example.sb
More file actions
284 lines (250 loc) · 8.69 KB
/
clj-sandbox-example.sb
File metadata and controls
284 lines (250 loc) · 8.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
;; =============================================================================
;; MACOS SANDBOX-EXEC PROFILE FOR CLOJURE AI CODING ASSISTANT
;; =============================================================================
;;
;; ⚠️ MACOS ONLY: This is a sandbox profile for macOS's sandbox-exec tool
;; ⚠️ NOT compatible with Linux containers, firejail, or other sandboxing systems
;;
;; This sandbox profile creates a secure environment for running Clojure code
;; evaluation through AI assistants while protecting sensitive system areas.
;;
;; REQUIRES: macOS with sandbox-exec command (built-in but deprecated)
;;
;; SUBPROCESS INHERITANCE:
;; ✓ All child processes inherit these sandbox restrictions
;; ✓ Java ProcessBuilder, shell commands, etc. are all sandboxed
;; ✓ No way for sandboxed code to escape restrictions via subprocesses
;;
;; USAGE:
;; sandbox-exec -f clj-sandbox-example.sb your-command
;;
;; EXAMPLES:
;; # Run a Clojure REPL in sandbox
;; sandbox-exec -f clj-sandbox-example.sb clojure
;;
;; # Start nREPL server in sandbox
;; sandbox-exec -f clj-sandbox-example.sb clojure -M:nrepl
;;
;; # Run any Java command in sandbox
;; sandbox-exec -f clj-sandbox-example.sb java -version
;;
;; # Run bash shell in sandbox (for testing)
;; sandbox-exec -f clj-sandbox-example.sb bash
;;
;; SECURITY FEATURES:
;; ✓ Network access restricted to localhost only
;; ✓ File writes limited to project directories and temp folders
;; ✓ Sensitive directories blocked (Desktop, Documents, .ssh, etc.)
;; ✓ Process execution limited to development tools only
;; ✓ System files and credentials protected
;;
;; CUSTOMIZATION:
;; This is just a rough start that you can use to button down your own env
;;
;; 1. Update the subpath entries under file-write* to match your projects:
;; (subpath "/Users/bruce/workspace/your-project")
;;
;; 2. Modify the username paths from "bruce" to your username
;;
;; 3. Add/remove binaries in the process-exec* section as needed
;;
;; DEBUGGING:
;; - Denials are logged with (debug deny) - check Console.app
;; - Search for "Sandbox:" and your process name
;; - Add allowed operations incrementally based on denials
;;
;; WARNING:
;; - sandbox-exec is deprecated but still functional
;; - Test thoroughly before using with production code
;; - This profile prioritizes functionality over maximum security
;;
;; =============================================================================
;; learn more about the sb syntax by grepping `/System/Library/Sandbox/Profiles/*`
(version 1)
(allow default)
(debug deny)
;; local internet only
(deny network*)
(allow network-bind
(local ip))
(allow network-inbound
(local ip))
(allow network-outbound
(local ip)
(to unix-socket))
;; internet access
;; (allow network-outbound
;; (remote ip "*:80" "*:443")
;; remote nrepl or database ports etc
;; (remote tcp "*:3283" "*:3284" "*:3285"))
(deny file-write*)
(allow file-write*
;; System temp and cache directories
(subpath "/private/tmp")
(subpath "/private/var/tmp")
(regex "^/private/var/folders/.*/T")
(subpath "~/Library/Caches")
(subpath "~/Library/Logs")
(subpath "~/.clojure")
(subpath "/dev/dtracehelper")
;; (literal "/dev/tty")
;; (regex "^/dev/ttys[0-9]+$")
;; CUSTOMIZE THESE
(subpath "/Users/bruce/workspace/llempty/clojure-mcp")
(subpath "/Users/bruce/workspace/llempty/sandboxed")
;; Add other allowed project paths here
)
(deny file-read* file-write*
(subpath "~/Desktop")
(subpath "~/Documents")
(subpath "~/Downloads")
(subpath "~/.ssh")
(subpath "~/.aws")
(regex "^.*\\.key$")
(regex "^.*\\.pem$")
(literal "/etc/passwd")
(literal "/etc/shadow")
(subpath "/etc/ssh")
(subpath "/private/etc/ssh"))
(deny process-exec*)
;; =============================================================================
;; ESSENTIAL BINARIES FOR AI CODING ASSISTANT - FOCUSED LIST
;; =============================================================================
;; This is a curated list of the most useful tools for code development tasks
(allow process-exec*
;; === CORE SHELLS ===
(literal "/bin/bash")
(literal "/bin/sh")
(literal "/bin/zsh")
;; === ESSENTIAL FILE OPERATIONS ===
(literal "/bin/ls")
(literal "/bin/cat")
(literal "/bin/cp")
(literal "/bin/mv")
(literal "/bin/rm")
(literal "/bin/mkdir")
(literal "/bin/chmod")
(literal "/bin/ln")
(literal "/usr/bin/find")
(literal "/usr/bin/which")
(literal "/usr/bin/file")
(literal "/usr/bin/touch")
(literal "/usr/bin/du")
;; === TEXT PROCESSING & SEARCH ===
(literal "/usr/bin/grep")
(literal "/usr/bin/sed")
(literal "/usr/bin/awk")
(literal "/usr/bin/sort")
(literal "/usr/bin/cut")
(literal "/usr/bin/head")
(literal "/usr/bin/tail")
(literal "/usr/bin/wc")
(literal "/usr/bin/uniq")
(literal "/usr/bin/diff")
(literal "/usr/bin/tr")
(literal "/usr/bin/tee")
(literal "/usr/bin/cksum")
;; === VERSION CONTROL ===
(regex "^/Users/bruce/\\.nix-profile/bin/git$") ; Your Nix git
(literal "/usr/bin/git") ; Fallback system git
;; === ARCHIVE/COMPRESSION (Essential only) ===
(literal "/usr/bin/tar")
(literal "/usr/bin/gzip")
(literal "/usr/bin/gunzip")
(literal "/usr/bin/zip")
(literal "/usr/bin/unzip")
;; === BUILD TOOLS ===
(literal "/usr/bin/make")
(literal "/usr/bin/gcc")
(literal "/usr/bin/clang")
(literal "/usr/bin/clang++")
;; === JAVA ECOSYSTEM ===
(regex "^/nix/store/.*/bin/java$")
(regex "^/nix/store/.*/bin/javac$")
(regex "^/nix/store/.*/bin/jar$")
;; === PYTHON ===
(literal "/usr/local/bin/python3")
(literal "/usr/local/bin/pip3")
;; === RUBY ===
(literal "/usr/bin/ruby")
(literal "/usr/bin/gem")
(literal "/usr/bin/bundle")
;; === OTHER USEFUL LANGUAGES ===
(literal "/usr/bin/perl")
(literal "/usr/bin/swift")
;; === CLOJURE TOOLS ===
(literal "/usr/local/bin/clojure")
(literal "/usr/local/bin/clj")
(literal "/usr/local/bin/lein")
(literal "/usr/local/bin/bb")
(literal "/usr/local/bin/cljfmt")
;; Nix versions
(regex "^/nix/store/.*/bin/clojure$")
(regex "^/nix/store/.*/bin/clj$")
(regex "^/nix/store/.*/bin/bb$")
;; === NETWORK TOOLS (Essential) ===
(literal "/usr/bin/curl")
(literal "/usr/bin/ssh")
(literal "/usr/bin/scp")
(literal "/usr/bin/rsync")
;; === EDITORS ===
(literal "/usr/bin/vim")
(literal "/usr/bin/nano")
;; === DATA TOOLS ===
(literal "/usr/bin/jq")
(literal "/usr/bin/sqlite3")
;; === PROCESS MANAGEMENT ===
(literal "/bin/ps")
(literal "/bin/kill")
(literal "/usr/bin/killall")
;; === PACKAGE MANAGERS ===
(literal "/usr/local/bin/brew")
;; === CONTAINER TOOLS (if needed) ===
(literal "/usr/local/bin/docker")
(literal "/usr/local/bin/kubectl")
;; === SYSTEM INFO ===
(literal "/bin/pwd")
(literal "/bin/echo")
(literal "/bin/date")
(literal "/usr/bin/less") ; For viewing files
(literal "/usr/bin/stat")
;; === ALLOW SELECTIVE NIX TOOLS ===
;; Instead of allowing ALL nix tools, be more selective
(regex "^/nix/store/.*/bin/")
)
;; =============================================================================
;; RATIONALE FOR THIS FOCUSED LIST:
;; =============================================================================
;;
;; INCLUDED - Essential for coding tasks:
;; • File operations: ls, cat, find, grep - core workflow
;; • Text processing: sed, awk, sort - code manipulation
;; • Version control: git - fundamental for any project
;; • Build tools: make, gcc/clang - compiling code
;; • Languages: Java, Python, Ruby, Clojure - your main languages
;; • Data tools: jq, sqlite3 - common in development
;; • Network: curl, ssh - downloading dependencies, remote access
;;
;; EXCLUDED - Less essential for LLM coding assistant:
;; • System admin tools: dd, sync, stty, launchctl
;; • Multiple compression formats: bzip2, compress (kept tar/gzip)
;; • Rarely used text tools: expand, unexpand, fold
;; • Advanced debugging: objdump, nm, strings
;; • Network debugging: ping, telnet, nslookup
;; • Multiple shells: csh, tcsh, ksh (kept bash/zsh)
;;
;; RESULT: ~40 essential tools vs 100+ comprehensive list
;;
;; This gives the LLM everything needed for:
;; ✓ Reading/writing/organizing code files
;; ✓ Searching and analyzing codebases
;; ✓ Building and running programs
;; ✓ Managing dependencies and packages
;; ✓ Version control operations
;; ✓ Basic system tasks and process management
;;
;; While avoiding tools that could be:
;; ✗ Used for system administration beyond coding
;; ✗ Security risks if misused
;; ✗ Confusing due to too many similar options
;; =============================================================================