mirror of
https://github.com/oven-sh/bun
synced 2026-02-14 04:49:06 +00:00
9ceff9632e
Implement proper process isolation using Linux namespaces: Isolation Features: - User namespace: Unprivileged operation with UID/GID mapping - PID namespace: Process isolation (sandbox sees PID 1-2, not host PIDs) - Mount namespace: Isolated filesystem view with overlayfs - Network namespace: Complete network isolation when NET is empty - UTS namespace: Isolated hostname (shows "sandbox") - IPC namespace: Isolated IPC Implementation: - Uses bubblewrap (bwrap) as primary isolation method - Falls back to unshare if bwrap unavailable - Falls back to no isolation with warning if neither available - Overlay directories for capturing filesystem modifications - OUTPUT extraction from overlay upper directory Key Classes: - IsolatedSandbox: Full lifecycle management with isolation - runIsolated(): Run single command in isolated environment - runIsolatedBwrap(): bwrap-specific implementation - checkIsolationSupport(): Detect available isolation methods Security Properties Verified by Tests: - PID namespace shows only 5 processes (not host's hundreds) - Hostname isolation shows "sandbox" not host - Network blocked when NET directive empty - Secrets passed through environment properly 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>