fix: Sandbox policy tuning for tmp write access (#145)

* fix: Sandbox policy tuning for tmp write access

* fix: Remove numbers from test

* Update sandbox/profiles/pnpm-restrictive.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Abhisek Datta <abhisek.datta@gmail.com>

* fix: Sandbox E2E test to consider Linux bubblewrap tmpfs mount

* Update sandbox/profiles/pnpm-restrictive.yml

Co-authored-by: Sahil Bansal <bansalsahil315@gmail.com>
Signed-off-by: Abhisek Datta <abhisek.datta@gmail.com>

* fix: Migrate deny rules from pnpm to npm policy

---------

Signed-off-by: Abhisek Datta <abhisek.datta@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Sahil Bansal <bansalsahil315@gmail.com>

Author: 3 people

.github/workflows/pmg-e2e.yml

@@ -443,6 +443,11 @@ jobs:
           node-version: 20
           check-latest: true
 
+      - name: Setup PNPM
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4
+        with:
+          version: 10
+
       - name: Build PMG
         run: make
 
@@ -465,6 +470,9 @@ jobs:
       - name: Run Sandbox E2E Test
         run: pmg --sandbox --sandbox-enforce npm exec -- node test/sandbox-e2e.js
 
+      - name: Run Package Manager E2E Test
+        run: pmg --sandbox --sandbox-enforce npm exec -- node test/pm-e2e.js
+
   sandbox-e2e-linux:
     name: Sandbox E2E - Linux (Bubblewrap)
     runs-on: ubuntu-latest
@@ -487,6 +495,11 @@ jobs:
           node-version: 20
           check-latest: true
 
+      - name: Setup PNPM
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4
+        with:
+          version: 10
+
       - name: Install Bubblewrap
         run: sudo apt-get update && sudo apt-get install -y bubblewrap
 
@@ -522,3 +535,6 @@ jobs:
 
       - name: Run Sandbox E2E Test
         run: pmg --sandbox --sandbox-enforce --sandbox-profile npm-restrictive npm exec -- node test/sandbox-e2e.js
+
+      - name: Run Package Manager E2E Test
+        run: pmg --sandbox --sandbox-enforce --sandbox-profile npm-restrictive npm exec -- node test/pm-e2e.js

config/config.template.yml

@@ -97,7 +97,7 @@ sandbox:
 
     pnpm:
       enabled: true
-      profile: npm-restrictive
+      profile: pnpm-restrictive
 
     npx:
       enabled: true

sandbox/profiles/npm-restrictive.yml

@@ -45,7 +45,9 @@ filesystem:
     #         1. Creating the node_modules directory itself
     #         2. Writing any files/directories inside it
     # Temporary directories for shell scripts and package managers
+    # Note: On macOS, /tmp is a symlink to /private/tmp, so we need both
     - /tmp/**
+    - /private/tmp/**
     - /var/tmp/**
     # Project directories
     - ${CWD}/node_modules/**
@@ -75,6 +77,9 @@ filesystem:
     - /usr/**
     - /bin/**
     - /sbin/**
+    # Additional deny rules for extra security
+    - ${CWD}/.env
+    - ${CWD}/.env.*
 
 network:
   # MacOS sandbox-exec does not support network restrictions, so we allow all outbound traffic

sandbox/profiles/pnpm-restrictive.yml

@@ -0,0 +1,25 @@
+name: pnpm-restrictive
+description: Profile for pnpm with write access to current directory
+inherits: npm-restrictive
+
+package_managers:
+  - pnpm
+
+filesystem:
+  allow_write:
+    # pnpm needs write access here
+    - ${HOME}/Library/pnpm/.tools/**
+    - ${HOME}/.pnpm-store/**
+
+    # `pnpm i` creates the tmp files in local dir, at least on MacOS
+    - ${CWD}/_tmp_*
+
+    # pnpm self-update (or likely update) creates temporary package.json files
+    # for writing. This is likely for atomic update using filesystem rename operation
+    # which guarantees atomicity
+    - ${CWD}/package.json.*
+
+    # Need access for dependency resolution
+    - ${CWD}/.pnpm-store
+
+

sandbox/profiles/pypi-restrictive.yml

@@ -32,6 +32,11 @@ filesystem:
     #       For example, ${CWD}/.venv/** allows both:
     #         1. Creating the .venv directory itself
     #         2. Writing any files/directories inside it
+    # Temporary directories for shell scripts and package managers
+    # Note: On macOS, /tmp is a symlink to /private/tmp, so we need both
+    - /tmp/**
+    - /private/tmp/**
+    - /var/tmp/**
     - ${CWD}/.venv/**
     - ${CWD}/venv/**
     - ${HOME}/.cache/pip/**

sandbox/util/dangerous.go

@@ -58,16 +58,23 @@ func GetMandatoryDenyPatterns(allowGitConfig bool) []string {
 		}
 	}
 
-	// Git hooks are ALWAYS blocked for security (can execute arbitrary code)
+	// Git hooks are blocked in CWD and HOME for security (can execute arbitrary code)
+	// We don't use global globs like **/.git/hooks to allow legitimate temp dir operations
+	// (e.g., npx cloning repos to /tmp)
 	patterns = append(patterns, filepath.Join(cwd, ".git/hooks"))
 	patterns = append(patterns, filepath.Join(cwd, ".git/hooks/**"))
-	patterns = append(patterns, "**/.git/hooks")
-	patterns = append(patterns, "**/.git/hooks/**")
 
-	// Git config is conditionally blocked
+	if home != "" {
+		patterns = append(patterns, filepath.Join(home, ".git/hooks"))
+		patterns = append(patterns, filepath.Join(home, ".git/hooks/**"))
+	}
+
+	// Git config is conditionally blocked in CWD and HOME
 	if !allowGitConfig {
 		patterns = append(patterns, filepath.Join(cwd, ".git/config"))
-		patterns = append(patterns, "**/.git/config")
+		if home != "" {
+			patterns = append(patterns, filepath.Join(home, ".git/config"))
+		}
 	}
 
 	return patterns

sandbox/util/dangerous_test.go

@@ -22,19 +22,36 @@ func TestGetMandatoryDenyPatterns(t *testing.T) {
 		assert.Contains(t, patterns, "**/.docker/config.json")
 	})
 
-	t.Run("always blocks git hooks", func(t *testing.T) {
+	t.Run("always blocks git hooks in CWD and HOME", func(t *testing.T) {
+		cwd, err := os.Getwd()
+		assert.NoError(t, err)
+
+		home, err := os.UserHomeDir()
+		assert.NoError(t, err)
+
 		patterns := GetMandatoryDenyPatterns(false)
 
-		// Should block git hooks
-		assert.Contains(t, patterns, "**/.git/hooks")
-		assert.Contains(t, patterns, "**/.git/hooks/**")
+		// Should block git hooks in CWD
+		assert.Contains(t, patterns, filepath.Join(cwd, ".git/hooks"))
+		assert.Contains(t, patterns, filepath.Join(cwd, ".git/hooks/**"))
+
+		// Should block git hooks in HOME
+		assert.Contains(t, patterns, filepath.Join(home, ".git/hooks"))
+		assert.Contains(t, patterns, filepath.Join(home, ".git/hooks/**"))
 	})
 
 	t.Run("blocks git config when allowGitConfig is false", func(t *testing.T) {
+		cwd, err := os.Getwd()
+		assert.NoError(t, err)
+
+		home, err := os.UserHomeDir()
+		assert.NoError(t, err)
+
 		patterns := GetMandatoryDenyPatterns(false)
 
-		// Should block git config
-		assert.Contains(t, patterns, "**/.git/config")
+		// Should block git config in CWD and HOME
+		assert.Contains(t, patterns, filepath.Join(cwd, ".git/config"))
+		assert.Contains(t, patterns, filepath.Join(home, ".git/config"))
 	})
 
 	t.Run("allows git config when allowGitConfig is true", func(t *testing.T) {
@@ -76,4 +93,14 @@ func TestGetMandatoryDenyPatterns(t *testing.T) {
 		// Should include pattern for .env.* files
 		assert.Contains(t, patterns, "**/.env.*")
 	})
+
+	t.Run("does not use global globs for git operations", func(t *testing.T) {
+		patterns := GetMandatoryDenyPatterns(false)
+
+		// Should NOT contain global globs for git hooks/config
+		// This allows legitimate git operations in temp directories (e.g., npx cloning repos)
+		assert.NotContains(t, patterns, "**/.git/hooks")
+		assert.NotContains(t, patterns, "**/.git/hooks/**")
+		assert.NotContains(t, patterns, "**/.git/config")
+	})
 }

test/pm-e2e.js

@@ -0,0 +1,178 @@
+const fs = require('fs');
+const { execSync } = require('child_process');
+const path = require('path');
+const os = require('os');
+
+// Package managers to test
+const PACKAGE_MANAGERS = ['npm', 'pnpm'];
+
+// Well-known dependencies to install
+const TEST_DEPENDENCIES = ['lodash'];
+
+const results = { passed: 0, failed: 0, tests: [] };
+
+function test(name, fn) {
+  try {
+    const result = fn();
+    results.tests.push({ name, status: result ? 'PASS' : 'FAIL', error: null });
+    result ? results.passed++ : results.failed++;
+  } catch (e) {
+    results.tests.push({ name, status: 'ERROR', error: e.message });
+    results.failed++;
+  }
+}
+
+function exec(cmd, options = {}) {
+  try {
+    const output = execSync(cmd, {
+      encoding: 'utf8',
+      timeout: 120000, // 2 minutes
+      ...options
+    });
+    return { success: true, output };
+  } catch (e) {
+    return { success: false, error: e.message, output: e.stdout || '' };
+  }
+}
+
+function createTempDir(prefix) {
+  return fs.mkdtempSync(path.join(os.tmpdir(), prefix));
+}
+
+function cleanup(dir) {
+  try {
+    fs.rmSync(dir, { recursive: true, force: true });
+  } catch (e) {
+    // Ignore cleanup errors
+  }
+}
+
+function testPackageManager(pm) {
+  const testDir = createTempDir(`pmg-e2e-${pm}-`);
+  console.log(`\n  Test directory: ${testDir}`);
+
+  try {
+    // Initialize project
+    test(`${pm}: Initialize project`, () => {
+      const initCmd = pm === 'npm' ? 'npm init -y' : 'pnpm init';
+      const result = exec(initCmd, { cwd: testDir });
+      if (!result.success) {
+        console.log(`    ❌ FAIL: ${result.error}`);
+        return false;
+      }
+
+      const packageJsonExists = fs.existsSync(path.join(testDir, 'package.json'));
+      if (packageJsonExists) {
+        console.log(`    ✅ PASS: Project initialized`);
+        return true;
+      }
+      console.log(`    ❌ FAIL: package.json not created`);
+      return false;
+    });
+
+    // Add dependencies
+    const depsStr = TEST_DEPENDENCIES.join(', ');
+    test(`${pm}: Add dependencies (${depsStr})`, () => {
+      const depsList = TEST_DEPENDENCIES.join(' ');
+      const addCmd = pm === 'npm'
+        ? `npm install ${depsList}`
+        : `pnpm add ${depsList}`;
+      const result = exec(addCmd, { cwd: testDir });
+      if (!result.success) {
+        console.log(`    ❌ FAIL: ${result.error}`);
+        return false;
+      }
+
+      // Verify dependencies were added to package.json
+      const packageJson = JSON.parse(fs.readFileSync(path.join(testDir, 'package.json'), 'utf8'));
+      const missingDeps = TEST_DEPENDENCIES.filter(
+        dep => !packageJson.dependencies || !packageJson.dependencies[dep]
+      );
+      if (missingDeps.length === 0) {
+        console.log(`    ✅ PASS: Dependencies added`);
+        return true;
+      }
+      console.log(`    ❌ FAIL: Missing dependencies in package.json: ${missingDeps.join(', ')}`);
+      return false;
+    });
+
+    // Verify node_modules exists
+    test(`${pm}: Verify node_modules created`, () => {
+      const nodeModulesExists = fs.existsSync(path.join(testDir, 'node_modules'));
+      if (!nodeModulesExists) {
+        console.log(`    ❌ FAIL: node_modules missing`);
+        return false;
+      }
+      const missingDeps = TEST_DEPENDENCIES.filter(
+        dep => !fs.existsSync(path.join(testDir, 'node_modules', dep))
+      );
+      if (missingDeps.length === 0) {
+        console.log(`    ✅ PASS: node_modules and dependencies exist`);
+        return true;
+      }
+      console.log(`    ❌ FAIL: Missing in node_modules: ${missingDeps.join(', ')}`);
+      return false;
+    });
+
+    // Clean install (remove node_modules and reinstall)
+    test(`${pm}: Clean install`, () => {
+      // Remove node_modules
+      const nodeModulesPath = path.join(testDir, 'node_modules');
+      fs.rmSync(nodeModulesPath, { recursive: true, force: true });
+
+      // Reinstall
+      const installCmd = pm === 'npm' ? 'npm install' : 'pnpm install';
+      const result = exec(installCmd, { cwd: testDir });
+      if (!result.success) {
+        console.log(`    ❌ FAIL: ${result.error}`);
+        return false;
+      }
+
+      // Verify node_modules recreated with all dependencies
+      const missingDeps = TEST_DEPENDENCIES.filter(
+        dep => !fs.existsSync(path.join(testDir, 'node_modules', dep))
+      );
+      if (missingDeps.length === 0) {
+        console.log(`    ✅ PASS: Clean install successful`);
+        return true;
+      }
+      console.log(`    ❌ FAIL: Dependencies not reinstalled: ${missingDeps.join(', ')}`);
+      return false;
+    });
+
+  } finally {
+    cleanup(testDir);
+    console.log(`  Cleaned up: ${testDir}`);
+  }
+}
+
+// Main
+console.log('=== PMG Package Manager E2E Tests ===\n');
+console.log('This script tests basic npm/pnpm flows to ensure sandbox compatibility.\n');
+
+for (const pm of PACKAGE_MANAGERS) {
+  // Check if package manager is available
+  const checkResult = exec(`which ${pm}`);
+  if (!checkResult.success) {
+    console.log(`--- Skipping ${pm} (not installed) ---`);
+    continue;
+  }
+
+  console.log(`--- Testing ${pm.toUpperCase()} ---`);
+  testPackageManager(pm);
+}
+
+// Summary
+console.log('\n=== SUMMARY ===');
+console.log(`Passed: ${results.passed}/${results.tests.length}`);
+console.log(`Failed: ${results.failed}/${results.tests.length}`);
+
+if (results.failed > 0) {
+  console.log('\nFailed tests:');
+  results.tests.filter(t => t.status !== 'PASS').forEach(t => {
+    console.log(`  - ${t.name}: ${t.status} ${t.error || ''}`);
+  });
+  process.exit(1);
+}
+
+console.log('\nAll tests passed!');