Class: RubyLLM::Toolbox::Sandbox::Bubblewrap

Inherits:

Base

Object
Base
RubyLLM::Toolbox::Sandbox::Bubblewrap

show all

Defined in:: lib/ruby_llm/toolbox/sandbox/bubblewrap.rb

Overview

Linux host-process sandbox via bubblewrap (bwrap). No daemon, no image: it runs the host’s interpreters inside fresh namespaces. Isolation:

--unshare-all     new PID/IPC/UTS/cgroup/user/NET namespaces -> no network
--die-with-parent dies if the toolbox process is killed (enforces timeout)
--ro-bind / /     the host filesystem, read-only (so any interpreter
                  path resolves) — nothing on the host can be written
--proc/--dev      fresh /proc and a minimal /dev
--tmpfs /tmp ...  the only writable space, in memory

Memory/CPU caps are applied as rlimits (inherited by the child), since bwrap doesn’t do cgroup limits itself.

Note: unlike Docker, the host filesystem is readable (read-only) inside the sandbox. For read-confidentiality on a host with secrets, prefer Docker, or add masks (e.g. “–tmpfs”, “/home”) via config.sandbox_bwrap_extra.

Constant Summary collapse

Unavailable =

Sandbox::Unavailable

Instance Attribute Summary

Attributes inherited from Base

#config

Instance Method Summary collapse

#available? ⇒ Boolean
#command(command_argv, image: nil) ⇒ Object
#run(command_argv, stdin: nil, image: nil) ⇒ Object

Methods inherited from Base

#initialize, #name

Constructor Details

This class inherits a constructor from RubyLLM::Toolbox::Sandbox::Base

Instance Method Details

#available? ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/ruby_llm/toolbox/sandbox/bubblewrap.rb', line 26

def available?
  return false unless Sandbox.linux?

  system("bwrap", "--version", out: File::NULL, err: File::NULL)
rescue StandardError
  false
end

#command(command_argv, image: nil) ⇒ `Object`

# File 'lib/ruby_llm/toolbox/sandbox/bubblewrap.rb', line 47

def command(command_argv, image: nil)
  [
    "bwrap",
    "--unshare-all",
    "--die-with-parent",
    "--new-session",
    "--ro-bind", "/", "/",
    "--proc", "/proc",
    "--dev", "/dev",
    "--tmpfs", "/tmp",
    "--tmpfs", "/run",
    "--tmpfs", "/dev/shm",
    "--chdir", "/tmp",
    *Array(config.sandbox_bwrap_extra),
    "--",
    *command_argv
  ]
end

#run(command_argv, stdin: nil, image: nil) ⇒ `Object`

Raises:

(Unavailable)

# File 'lib/ruby_llm/toolbox/sandbox/bubblewrap.rb', line 34

def run(command_argv, stdin: nil, image: nil)
  raise Unavailable, "bubblewrap (bwrap) is not available on this Linux host" unless available?

  ProcessRunner.capture(
    command(command_argv, image: image),
    env: sandbox_env,
    stdin: stdin,
    timeout: config.command_timeout,
    unsetenv_others: true,
    rlimits: spawn_rlimits
  )
end