The sandbox system provides platform-aware isolation for command execution. Located in src/attocode/integrations/safety/sandbox/.
| Implementation | Platform | Mechanism | Status |
|---|---|---|---|
| BasicSandbox | All | Allowlist/blocklist | Production |
| SeatbeltSandbox | macOS | sandbox-exec profiles |
Production |
| LandlockSandbox | Linux 5.13+ | Landlock LSM syscalls | Production |
| DockerSandbox | All (Docker) | Container isolation | Production |
With mode: "auto" (default):
- macOS → SeatbeltSandbox
- Linux 5.13+ → LandlockSandbox
- Docker available → DockerSandbox
- Fallback → BasicSandbox
{
"sandboxMode": "auto"
}agent = (
AgentBuilder()
.with_sandbox(True)
.build()
)Validates commands against allowlists and blocklists before execution:
- Default allowed:
node,npm,git,python,pip,ls,cat,grep, etc. - Default blocked:
rm -rf /,sudo,chmod 777, etc.
Uses sandbox-exec with dynamically generated profiles:
- Restricts filesystem access to writable/readable paths
- Blocks network access by default
- Uses Apple's Seatbelt framework
Uses Linux Landlock LSM via ctypes syscall wrappers:
landlock_create_ruleset- Creates a new rulesetlandlock_add_rule- Adds path-based ruleslandlock_restrict_self- Applies restrictions to the process
Requires:
- Linux kernel 5.13+
PR_SET_NO_NEW_PRIVScapability- No root required
Full container isolation with:
- Configurable memory and CPU limits
- Mount-based filesystem access
- Network isolation
- Timeout enforcement
The PolicyEngine determines permission levels:
| Tool | Default Policy | Danger Level |
|---|---|---|
read_file, glob, grep |
ALLOW | Safe |
write_file, edit_file |
ALLOW | Low |
bash |
PROMPT | Medium |
spawn_agent |
ALLOW | Low |
| Unknown tools | PROMPT | Medium |
Permissions can be persisted via the remembered_permissions table in SQLite.