Skip to content

Validation: isolate submitted code in author Sandboxes#954

Draft
zkwentz wants to merge 1 commit into
rfc008-12-hf-sandbox-validationfrom
rfc008-13-sandbox-hardening
Draft

Validation: isolate submitted code in author Sandboxes#954
zkwentz wants to merge 1 commit into
rfc008-12-hf-sandbox-validationfrom
rfc008-13-sandbox-hardening

Conversation

@zkwentz

@zkwentz zkwentz commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

What & Why

The first remote runner allowed submitted build/runtime processes too much proximity to the trusted report path. This hardening layer separates subject execution by UID, keeps trusted inputs read-only, and makes teardown explicit.

Risk & Review Guidance

  • Risk level: HIGH — fixes an isolation boundary around untrusted code
  • Task class: security
  • Review focus: src/openenv/validation/remote.py:242 for UID/report-path setup; src/openenv/validation/local.py for subject UID/GID propagation; remote/local isolation tests
  • Blast radius: Without this boundary, submitted code could forge or mutate the author report or survive beyond validation.

Decisions & Alternatives

  • Root-owned report writer, unprivileged subject UID — rejected same-UID convenience.
  • Read-only source and validator trees — subject code gets only the access required to install/run.
  • Kill then close in finally — teardown is mandatory on success and failure.

Verification

  • PASS: PYTHONPATH=src:envs .venv/bin/python -m pytest tests/ -q -m 'not integration' — 1,559 passed, 114 skipped, 31 external integration tests deselected on the complete stack.
  • PASS: Fork whole-stack CI — 7/7 checks passed, including Python 3.11/3.12, lint, docs, lock validation, and package smoke tests.
  • NOT verified: Kernel-level containment is delegated to the dedicated HF Sandbox platform and was not live-tested here.

Scope & Non-Goals

  • Task-provided verifier isolation remains advisory in the author runner until a separate verifier Sandbox exists.

Stack

PR 13 of 17; depends on #953.

Full 17-PR stack
  1. #942 RFC 008: Spec-neutral local and remote validation architecture
  2. #943 Validation foundation: spec-neutral contracts and adapters
  3. #944 Validation policy: spec-aware check registry and planner
  4. #945 Validation executor: hardened shared reports and eligibility
  5. #946 Local validation API: execution-model-aware profiles
  6. #947 CLI: validation profiles and shared reports
  7. #948 HF runtime: dedicated sandbox execution mode
  8. #949 HF certification: enforce trusted dedicated isolation
  9. #950 [RFC 008] Define remote author validation and publish gating
  10. #951 Validation: unify CLI reports and add a strict publish profile
  11. #952 Validation: add structured author diagnostics and remediation
  12. #953 Validation: run author validation in dedicated HF Sandboxes
  13. #954 Validation: isolate submitted code in author Sandboxes ← current
  14. #955 Validation: bind author reports to policy and source
  15. #956 CLI: scaffold publish requirements
  16. #957 CLI: gate pushes on staged remote validation
  17. #958 Docs: explain local, remote, and publish validation

All upstream PRs remain draft while RFC 008 is under review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant