Add process isolation and persistent sessions for all commands (#59)

* Add process isolation for sandbox commands

Implements PID namespace isolation to protect control plane processes (Jupyter, Bun)
from sandboxed code. Commands executed via exec() now run in isolated namespaces.

Key changes:
- Sandboxed commands can no longer see or kill control plane processes
- Platform secrets in /proc/1/environ are inaccessible
- Ports 8888 (Jupyter) and 3000 (Bun) are protected from hijacking
- Commands within sessions now maintain state (pwd, env vars)
- Graceful fallback when CAP_SYS_ADMIN not available (dev environments)

BREAKING CHANGE: Commands within the same session now share state. Previously each
command was stateless. Use createSession() for isolated command execution.

* Stop information exposure through stack trace

* Implement secure streaming execution with ExecutionSession support

- Fix streaming security hole by routing through SessionManager instead of direct spawn()
- Add ExecutionSession.execStream() method for secure real-time command streaming
- Maintain backward compatibility by bridging sessionId API to ExecutionSessions
- Extend SessionManager with streaming capabilities using isolated control processes

* Remove sessionId

* Make file ops session-aware too

* Remove duplicate code paths

* Fix streaming and corresponding abort

* Fix log fetch endpoint

* Minor fixes

* Rename back to sessionId

* Fix pending name references

* Move control script into separate file

* Fix type errors

* fix biome lint errors

* Prevent shell command injection

* Move code around

* Reorganise code

* Update changeset

Author: ghostwriternr

.changeset/env-isolation-security.md

@@ -0,0 +1,56 @@
+---
+"@cloudflare/sandbox": minor
+---
+
+Add process isolation for sandbox commands
+
+Implements PID namespace isolation to protect control plane processes (Jupyter, Bun) from sandboxed code. Commands executed via `exec()` now run in isolated namespaces that cannot see or interact with system processes.
+
+**Key security improvements:**
+- Control plane processes are hidden from sandboxed commands
+- Platform secrets in `/proc/1/environ` are inaccessible
+- Ports 8888 (Jupyter) and 3000 (Bun) are protected from hijacking
+
+**Breaking changes:**
+
+1. **Removed `sessionId` parameter**: The `sessionId` parameter has been removed from all methods (`exec()`, `execStream()`, `startProcess()`, etc.). Each sandbox now maintains its own persistent session automatically.
+   
+   ```javascript
+   // Before: manual session management
+   await sandbox.exec("cd /app", { sessionId: "my-session" });
+   
+   // After: automatic session per sandbox
+   await sandbox.exec("cd /app");
+   ```
+
+2. **Commands now maintain state**: Commands within the same sandbox now share state (working directory, environment variables, background processes). Previously each command was stateless.
+
+   ```javascript
+   // Before: each exec was independent
+   await sandbox.exec("cd /app");
+   await sandbox.exec("pwd"); // Output: /workspace
+   
+   // After: state persists in session
+   await sandbox.exec("cd /app");
+   await sandbox.exec("pwd"); // Output: /app
+   ```
+
+**Migration guide:**
+- Remove `sessionId` from all method calls - each sandbox maintains its own session
+- If you need isolated execution contexts within the same sandbox, use `sandbox.createSession()`:
+  ```javascript
+  // Create independent sessions with different environments
+  const buildSession = await sandbox.createSession({
+    name: "build",
+    env: { NODE_ENV: "production" },
+    cwd: "/build"
+  });
+  const testSession = await sandbox.createSession({
+    name: "test", 
+    env: { NODE_ENV: "test" },
+    cwd: "/test"
+  });
+  ```
+- Environment variables set in one command persist to the next
+- Background processes remain active until explicitly killed
+- Requires CAP_SYS_ADMIN (available in production, falls back gracefully in dev)

.gitignore

@@ -134,4 +134,9 @@ dist
 
 .DS_Store
 
-container_dist
+container_dist
+
+# Compiled TypeScript files in container_src
+packages/sandbox/container_src/*.js
+packages/sandbox/container_src/**/*.js
+!packages/sandbox/container_src/**/*.d.ts

examples/basic/app/index.tsx

@@ -178,13 +178,14 @@ class SandboxApiClient {
     });
   }
 
-  async *streamProcessLogs(processId: string): AsyncGenerator<any> {
+  async *streamProcessLogs(processId: string, options?: { signal?: AbortSignal }): AsyncGenerator<any> {
     const response = await fetch(
       `${this.baseUrl}/api/process/${processId}/stream`,
       {
         headers: {
           Accept: "text/event-stream",
         },
+        signal: options?.signal,  // Pass the abort signal to fetch
       }
     );
 
@@ -2191,6 +2192,12 @@ function StreamingTab({
       return;
 
     const streamId = `logs_${selectedProcessId}_${Date.now()}`;
+    
+    // Create an AbortController for this stream
+    const abortController = new AbortController();
+    
+    // Store the abort controller so it can be aborted when user clicks stop
+    streamAbortControllers.current.set(streamId, abortController);
 
     // Add stream to active streams
     const newStream: ActiveStream = {
@@ -2206,8 +2213,10 @@ function StreamingTab({
     setActiveStreams((prev) => [...prev, newStream]);
 
     try {
-      // Use the new streamProcessLogs AsyncIterable method
-      const logStreamIterable = client.streamProcessLogs(selectedProcessId);
+      // Use the new streamProcessLogs AsyncIterable method with abort signal
+      const logStreamIterable = client.streamProcessLogs(selectedProcessId, {
+        signal: abortController.signal
+      });
 
       for await (const logEvent of logStreamIterable) {
         const streamEvent: LogStreamEvent = {
@@ -2227,7 +2236,27 @@ function StreamingTab({
           )
         );
       }
+      
+      // Clean up abort controller when stream completes naturally
+      streamAbortControllers.current.delete(streamId);
     } catch (error) {
+      // Clean up abort controller on error
+      streamAbortControllers.current.delete(streamId);
+      
+      // Don't log abort errors or add error events for user cancellation
+      if (error instanceof Error && error.name === 'AbortError') {
+        console.log("Log streaming aborted by user");
+        // Just mark the stream as inactive without adding error event
+        setActiveStreams((prev) =>
+          prev.map((stream) =>
+            stream.id === streamId
+              ? { ...stream, isActive: false }
+              : stream
+          )
+        );
+        return;
+      }
+      
       console.error("Log streaming error:", error);
 
       const errorEvent: LogStreamEvent = {
@@ -2254,13 +2283,23 @@ function StreamingTab({
     }
   };
 
+  // Map to store abort controllers for active streams
+  const streamAbortControllers = useRef<Map<string, AbortController>>(new Map());
+  
   // Stop a stream
   const stopStream = (streamId: string) => {
     setActiveStreams((prev) =>
       prev.map((stream) =>
         stream.id === streamId ? { ...stream, isActive: false } : stream
       )
     );
+    
+    // Abort the fetch if an abort controller exists
+    const controller = streamAbortControllers.current.get(streamId);
+    if (controller) {
+      controller.abort();
+      streamAbortControllers.current.delete(streamId);
+    }
   };
 
   // Clear a stream

examples/basic/src/endpoints/execute.ts

@@ -3,13 +3,12 @@ import { parseJsonBody, errorResponse, jsonResponse } from "../http";
 
 export async function executeCommand(sandbox: Sandbox<unknown>, request: Request) {
     const body = await parseJsonBody(request);
-    const { command, sessionId, cwd, env } = body;
+    const { command, cwd, env } = body;
     if (!command) {
         return errorResponse("Command is required");
     }
 
-    // Use the current SDK API signature: exec(command, options)
-    const result = await sandbox.exec(command, { sessionId, cwd, env });
+    const result = await sandbox.exec(command, { cwd, env });
     return jsonResponse({
         success: result.exitCode === 0,
         exitCode: result.exitCode,

examples/basic/src/endpoints/executeStream.ts

@@ -4,7 +4,7 @@ import { corsHeaders, errorResponse, parseJsonBody } from "../http";
 
 export async function executeCommandStream(sandbox: Sandbox<unknown>, request: Request) {
     const body = await parseJsonBody(request);
-    const { command, sessionId } = body;
+    const { command } = body;
 
     if (!command) {
         return errorResponse("Command is required");
@@ -20,7 +20,7 @@ export async function executeCommandStream(sandbox: Sandbox<unknown>, request: R
             const encoder = new TextEncoder();
 
             // Get the ReadableStream from sandbox
-            const stream = await sandbox.execStream(command, { sessionId });
+            const stream = await sandbox.execStream(command);
 
             // Convert to AsyncIterable using parseSSEStream
             for await (const event of parseSSEStream<ExecEvent>(stream)) {

examples/basic/src/endpoints/processLogs.ts

@@ -17,7 +17,7 @@ export async function getProcessLogs(sandbox: Sandbox<unknown>, pathname: string
     }
 }
 
-export async function streamProcessLogs(sandbox: Sandbox<unknown>, pathname: string) {
+export async function streamProcessLogs(sandbox: Sandbox<unknown>, pathname: string, request: Request) {
     const pathParts = pathname.split("/");
     const processId = pathParts[pathParts.length - 2];
 
@@ -40,6 +40,9 @@ export async function streamProcessLogs(sandbox: Sandbox<unknown>, pathname: str
     // Use the SDK's streaming with beautiful AsyncIterable API
     if (typeof sandbox.streamProcessLogs === 'function') {
         try {
+            // Create an AbortController that will be triggered when client disconnects
+            const abortController = new AbortController();
+            
             // Create SSE stream from AsyncIterable
             const encoder = new TextEncoder();
             const { readable, writable } = new TransformStream();
@@ -48,27 +51,37 @@ export async function streamProcessLogs(sandbox: Sandbox<unknown>, pathname: str
             // Stream logs in the background
             (async () => {
                 try {
-                    // Get the ReadableStream from sandbox
+                    // Get the ReadableStream from sandbox (can't pass abort signal through Worker binding)
                     const stream = await sandbox.streamProcessLogs(processId);
 
-                    // Convert to AsyncIterable using parseSSEStream
-                    for await (const logEvent of parseSSEStream<LogEvent>(stream)) {
+                    // Convert to AsyncIterable using parseSSEStream with local abort signal
+                    for await (const logEvent of parseSSEStream<LogEvent>(stream, abortController.signal)) {
                         // Forward each typed event as SSE
                         await writer.write(encoder.encode(`data: ${JSON.stringify(logEvent)}\n\n`));
                     }
                 } catch (error: any) {
-                    // Send error event
-                    await writer.write(encoder.encode(`data: ${JSON.stringify({
-                        type: 'error',
-                        timestamp: new Date().toISOString(),
-                        data: error.message,
-                        processId
-                    })}\n\n`));
+                    // Don't send error event for abort
+                    if (error.name === 'AbortError') {
+                        console.log('Stream aborted by client');
+                    } else {
+                        // Send error event
+                        await writer.write(encoder.encode(`data: ${JSON.stringify({
+                            type: 'error',
+                            timestamp: new Date().toISOString(),
+                            data: error.message,
+                            processId
+                        })}\n\n`));
+                    }
                 } finally {
                     await writer.close();
                 }
             })();
 
+            // Handle client disconnect by aborting
+            request.signal.addEventListener('abort', () => {
+                abortController.abort();
+            });
+
             // Return stream with proper headers
             return new Response(readable, {
                 headers: {

examples/basic/src/endpoints/processStart.ts

@@ -3,7 +3,7 @@ import { errorResponse, jsonResponse, parseJsonBody } from "../http";
 
 export async function startProcess(sandbox: Sandbox<unknown>, request: Request) {
     const body = await parseJsonBody(request);
-    const { command, processId, sessionId, timeout, env: envVars, cwd } = body;
+    const { command, processId, timeout, env: envVars, cwd } = body;
 
     if (!command) {
         return errorResponse("Command is required");
@@ -12,7 +12,6 @@ export async function startProcess(sandbox: Sandbox<unknown>, request: Request)
     if (typeof sandbox.startProcess === 'function') {
         const process = await sandbox.startProcess(command, {
             processId,
-            sessionId,
             timeout,
             env: envVars,
             cwd

examples/basic/src/index.ts

@@ -108,7 +108,7 @@ export default {
       }
 
       if (pathname.startsWith("/api/process/") && pathname.endsWith("/stream") && request.method === "GET") {
-        return await streamProcessLogs(sandbox, pathname);
+        return await streamProcessLogs(sandbox, pathname, request);
       }
 
       if (pathname.startsWith("/api/process/") && request.method === "GET") {
@@ -351,18 +351,24 @@ result = x / y
       // Session Management APIs
       if (pathname === "/api/session/create" && request.method === "POST") {
         const body = await parseJsonBody(request);
-        const sessionId = body.sessionId || `session_${Date.now()}_${generateSecureRandomString()}`;
+        const { name, env, cwd, isolation = true } = body;
 
-        // Sessions are managed automatically by the SDK, just return the ID
-        return jsonResponse(sessionId);
+        const session = await sandbox.createSession({
+          id: name || `session_${Date.now()}_${generateSecureRandomString()}`,
+          env,
+          cwd,
+          isolation
+        });
+
+        return jsonResponse({ sessionId: session.id });
       }
 
       if (pathname.startsWith("/api/session/clear/") && request.method === "POST") {
         const sessionId = pathname.split("/").pop();
 
-        // In a real implementation, you might want to clean up session state
-        // For now, just return success
-        return jsonResponse({ message: "Session cleared", sessionId });
+        // Note: The current SDK doesn't expose a direct session cleanup method
+        // Sessions are automatically cleaned up by the container lifecycle
+        return jsonResponse({ message: "Session cleanup initiated", sessionId });
       }
 
       // Fallback: serve static assets for all other requests

packages/sandbox/Dockerfile

@@ -33,7 +33,6 @@ RUN apt-get update && apt-get install -y \
     python3-pip \
     python3.11-venv \
     # Other useful tools
-    sudo \
     ca-certificates \
     gnupg \
     lsb-release \
@@ -43,13 +42,8 @@ RUN apt-get update && apt-get install -y \
 # Set Python 3.11 as default python3
 RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 1
 
-# Install Node.js 20 LTS
-# Using the official NodeSource repository setup script
-RUN apt-get update && apt-get install -y ca-certificates curl gnupg \
-    && mkdir -p /etc/apt/keyrings \
-    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
-    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
-    && apt-get update \
+# Install Node.js 20 LTS using official NodeSource setup script
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
     && apt-get install -y nodejs \
     && rm -rf /var/lib/apt/lists/*
 
@@ -73,7 +67,7 @@ RUN pip3 install --no-cache-dir \
     seaborn
 
 # Install JavaScript kernel (ijavascript) - using E2B's fork
-RUN npm install -g --unsafe-perm git+https://github.com/e2b-dev/ijavascript.git \
+RUN npm install -g git+https://github.com/e2b-dev/ijavascript.git \
     && ijsinstall --install=global
 
 # Set up container server directory
@@ -93,6 +87,10 @@ RUN bun install
 
 COPY container_src/ ./
 
+# Compile TypeScript control process
+# Use npx -p typescript to ensure we get the right tsc command
+RUN npx -p typescript tsc control-process.ts --outDir . --module commonjs --target es2020 --esModuleInterop --skipLibCheck
+
 # Create clean workspace directory for users
 RUN mkdir -p /workspace