bwrap fixes

Author: kantord

shell_engine.py

@@ -88,6 +88,11 @@ def _bwrap_prefix(self) -> list[str]:
             "--unshare-all",
             "--new-session",
             "--die-with-parent",
+            "--dir",
+            "/",
+            "--chmod",
+            "0555",
+            "/",
             "--proc",
             "/proc",
             "--dev",
@@ -98,7 +103,7 @@ def _bwrap_prefix(self) -> list[str]:
             "PATH",
             "/usr/bin:/bin",
             "--chdir",
-            "/",
+            "/tmp",
         ]
 
         # Read-only bind common system locations needed for typical dynamic binaries

tests/test_bwrap_integration.py

@@ -56,7 +56,9 @@ async def test_tmp_is_writable_tmpfs_and_readable_within_command():
 async def test_root_is_read_only_cannot_create_files():
     engine = await _new_engine()
 
-    # Attempt to write to /. If it were writable, we'd read back content; expect none.
+    # Attempt to write to /. If it were writable, we'd read back content.
+    # With proper sandboxing, awk will either fail to write (permission denied)
+    # or print NOPE. Either way, WROTE should not appear.
     prog = (
         'BEGIN { f = "/mcpshell_should_fail"; '
         'print "x" > f; close(f); '
@@ -67,7 +69,7 @@ async def test_root_is_read_only_cannot_create_files():
     pipeline = [{"type": "command", "command": "awk", "args": [prog]}]
 
     out = await engine.execute_pipeline(pipeline)
-    assert "NOPE" in out
+    assert "WROTE" not in out
 
 
 @pytest.mark.asyncio
@@ -84,4 +86,4 @@ async def test_usr_is_read_only_cannot_create_files():
     pipeline = [{"type": "command", "command": "awk", "args": [prog]}]
 
     out = await engine.execute_pipeline(pipeline)
-    assert "NOPE" in out
+    assert "WROTE" not in out