fix(sandbox): address review feedback on execute_file and ABI message

congwang-mk · congwang · commit ec8b3477a2e9 · 2026-06-02T22:36:51.000-07:00
Code-review fixes from PR #1367: * execute_file no longer allowlists the script's entire parent directory for Landlock read. Only the script file itself is granted read access, so sibling files on the host are never exposed (gemini flagged this as high severity). Verified end-to-end against real sandlock: a script that tries to read a sibling file is denied. * _build_sandbox_kwargs filters extra_readable with os.path.exists instead of os.path.isdir, so individual files (not just directories) can be allowlisted — required for the file-only execute_file path. * Corrected the Landlock kernel version in the fail-loud error message. The wrapper now requires ABI >= min_landlock_abi() (currently v6), which shipped in Linux 6.12 — not 6.7. The message is phrased around the ABI version so it stays correct as the SDK's minimum changes. * test_sandlock_execution_success now uses bytes for stdout/stderr (to exercise the _decode() byte path, matching real sandlock) and sets result.success = True explicitly. Note: the suggestion to also add temp_dir/working_dir to fs_readable was not applied — sandlock's fs_writable already grants read access ("fs_readable ... in addition to writable paths"), confirmed by test.
diff --git a/src/praisonai/praisonai/sandbox/sandlock.py b/src/praisonai/praisonai/sandbox/sandlock.py
@@ -76,8 +76,9 @@ def __init__(
             )
 
         # Fail loud if Landlock isn't supported on this kernel.  sandlock
-        # requires a minimum Landlock ABI (currently v6, Linux 6.7+); query
-        # it rather than hard-coding so we track the SDK's own requirement.
+        # requires a minimum Landlock ABI (currently v6, which shipped in
+        # Linux 6.12); query it rather than hard-coding so we track the SDK's
+        # own requirement.
         try:
             abi = self._sandlock.landlock_abi_version()
             min_abi = self._sandlock.min_landlock_abi()
@@ -87,10 +88,11 @@ def __init__(
             ) from e
         if abi < min_abi:
             raise RuntimeError(
-                "SandlockSandbox requires Landlock support (Linux kernel "
-                f">= 6.7 with CONFIG_SECURITY_LANDLOCK=y and ABI >= {min_abi}). "
-                f"This kernel reports Landlock ABI version {abi}.  Use "
-                "SubprocessSandbox explicitly if weaker isolation is acceptable."
+                "SandlockSandbox requires Landlock ABI >= "
+                f"{min_abi} (Linux kernel >= 6.12 with "
+                "CONFIG_SECURITY_LANDLOCK=y).  This kernel reports Landlock "
+                f"ABI version {abi}.  Use SubprocessSandbox explicitly if "
+                "weaker isolation is acceptable."
             )
 
     @property
@@ -159,8 +161,12 @@ def _build_sandbox_kwargs(
         ]
         allowed_read_paths = [p for p in _candidate_read_paths if os.path.isdir(p)]
         if extra_readable:
+            # extra_readable may name individual files (e.g. the single script
+            # passed to execute_file), so accept any path that exists — not
+            # just directories.  Landlock grants read on a named file without
+            # exposing its siblings.
             allowed_read_paths.extend(
-                p for p in extra_readable if os.path.isdir(p)
+                p for p in extra_readable if os.path.exists(p)
             )
 
         allowed_write_paths = []
@@ -358,9 +364,9 @@ async def execute_file(
         """Execute a file in the sandbox.
 
         The script is passed to the interpreter by path rather than slurped
-        through ``-c``, so large scripts don't hit ARG_MAX.  The file's
-        parent directory is added to the Landlock read allowlist for this
-        run so the sandboxed process can actually open it.
+        through ``-c``, so large scripts don't hit ARG_MAX.  Only the script
+        file itself — not its parent directory — is added to the Landlock
+        read allowlist, so sibling files on the host are never exposed.
         """
         if not self._is_running:
             await self.start()
@@ -386,7 +392,7 @@ async def execute_file(
             limits=limits,
             env=env,
             working_dir=self._temp_dir,
-            extra_readable=[os.path.dirname(abs_path)],
+            extra_readable=[abs_path],
         )
     
     async def run_command(
diff --git a/src/praisonai/tests/unit/sandbox/test_sandlock_sandbox.py b/src/praisonai/tests/unit/sandbox/test_sandlock_sandbox.py
@@ -117,9 +117,11 @@ async def test_sandlock_execution_success(self):
         """Test successful code execution with sandlock."""
         mock_sandlock = Mock()
         mock_result = Mock()
+        mock_result.success = True
         mock_result.exit_code = 0
-        mock_result.stdout = "Hello, World!"
-        mock_result.stderr = ""
+        # Real sandlock returns bytes; exercise the _decode() byte path.
+        mock_result.stdout = b"Hello, World!"
+        mock_result.stderr = b""
 
         mock_sandlock.Sandbox.return_value = Mock(run=Mock(return_value=mock_result))
         mock_sandlock.landlock_abi_version.return_value = 6  # >= 6, so available
