Sectioned policy schema for profiles, CLI, and bindings#42
Open
congwang-mk wants to merge 2 commits intomainfrom
Open
Sectioned policy schema for profiles, CLI, and bindings#42congwang-mk wants to merge 2 commits intomainfrom
congwang-mk wants to merge 2 commits intomainfrom
Conversation
Signed-off-by: Cong Wang <cwang@multikernel.io>
Phase 2 of the sectioned-policy-schema effort. After Phase 1 introduced
the sectioned profile parser (translating into the legacy field names),
this phase aligns the rest of the project — Policy struct, CLI flags,
FFI, and Python bindings — with the schema's intent-shaped vocabulary,
and reshapes the Policy/PolicyBuilder/CLI relationship so a single
canonical input definition feeds both TOML profiles and clap argv
parsing.
Field and flag renames:
- Policy::https_ca → Policy::http_ca (CLI: --https-ca → --http-ca)
- Policy::https_key → Policy::http_key (CLI: --https-key → --http-key)
- Policy::block_syscalls → Policy::extra_deny_syscalls
(CLI: --block-syscall → --extra-deny-syscall)
- Policy::allow_sysv_ipc removed; folded into
Policy::extra_allow_syscalls = ["sysv_ipc"]
(CLI: --allow-sysv-ipc → --extra-allow-syscall)
Signed-off-by: Cong Wang <cwang@multikernel.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces sandlock's flat-keyed TOML profile format with a sectioned schema, then aligns the rest of the project —
Policy, the CLI flags, FFI accessors, and Python bindings — with the schema's intent-shaped vocabulary. Pre-1.0 hard break: existing user profiles and downstream callers using the old field/flag names need to be rewritten.Two commits, organized by phase:
ab4b0c3Phase 1 — sectioned profile parser. NewProfileInput+ 8 section structs ([config],[determinism],[program],[filesystem],[network],[http],[syscalls],[limits]). Newparse_inputtranslator producing(Policy, ProgramSpec).parse_profile/load_profilerewritten as thin wrappers; legacy flat-keyed parser deleted. CLI gains--profile-fileand honors[program].exec/argsfrom a profile when no trailing positional command is given (trailing command overrides).9eff365Phase 2 — vocabulary alignment + canonical input. RenamesPolicy::https_ca/https_key/block_syscalls→http_ca/http_key/extra_deny_syscalls; dropsallow_sysv_ipc(folded into a newextra_allow_syscalls: Vec<String>plusPolicy::allows_sysv_ipc()helper). CLI flags renamed to match (--http-ca,--http-key,--extra-deny-syscall, new--extra-allow-syscall). NewPolicy::validate()owns cross-section invariants;PolicyBuilder::build_unchecked()runs per-field validation andbuild()collapses tobuild_unchecked()? + validate()?.PolicyBuildercarries a feature-gatedclap::Argsderive; the CLI'sRunArgsflattens it via#[clap(flatten)], eliminating the duplicated parallel args struct. FFI, Python bindings, and READMEs updated for the rename.Test Plan
cargo test --workspacepasses — 278 core unit tests + 17 CLI tests + 5 profile integration tests + 2 policy-validate tests + integration suite.pip install -e python/ && pytest python/tests/passes — 228 Python tests.cargo check --workspace --all-targetsis clean.sandlock run --profile-file <profile>.tomlexits 0 with a representative profile (see PR description's example).sandlock run --profile-file <profile>.toml -- /bin/echo overrideruns the trailing command, not the profile's[program].exec.--http-ca,--http-key,--extra-deny-syscall,--extra-allow-syscall sysv_ipc.--https-ca,--https-key,--block-syscall,--allow-sysv-ipcproduce clap "unexpected argument" errors.[filesystem].isolation = "overlayfs"without[config].workdirreturns the documented error mentioningworkdir.🤖 Generated with Claude Code