Linux sandbox bubblewrap

[DavidAPierce]

Summary

Generates the bwrap CLI arguments to isolate the filesystem.

Details

Skeleton of the Linux sandbox bubblewrap to be used for future sandboxing efforts.
Structures the command by placing bwrap as the program and correctly segregating the sandboxed execution using -- command ...args.
Isolates / as read-only (--ro-bind / /), mount /dev (--dev-bind /dev /dev), and explicitly binds /dev/pts to enable node-pty
compatibility.
Mounts the workspace read/write (--bind ).
Applies the --unshare-all flag to drop all network, IPC, and PID namespaces.
Integrates sanitizeEnvironment using the request configuration, keeping the sandbox secure from leaked environment variables.

Related Issues

Fixes https://github.com/google-gemini/maintainers-gemini-cli/issues/1544

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-cli]

Hi @DavidAPierce, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new Linux sandbox manager that leverages bubblewrap to provide robust process isolation. The primary goal is to enhance security by creating a tightly controlled execution environment for commands, isolating them from the host system's filesystem, network, and other resources. This lays the groundwork for future sandboxing efforts, ensuring that executed code operates within defined boundaries and preventing unintended side effects or security vulnerabilities.

Highlights

• Bubblewrap CLI Argument Generation: The PR introduces logic to generate bwrap (bubblewrap) command-line arguments for isolating the filesystem, ensuring secure execution of commands.
• Filesystem Isolation Configuration: It configures the sandbox to make the root filesystem read-only, binds /dev and /dev/pts for device access and node-pty compatibility, and mounts the workspace as read/write.
• Namespace Unsharing: The --unshare-all flag is utilized to drop all network, IPC, and PID namespaces, providing strong isolation for sandboxed processes.
• Environment Variable Sanitization: The sanitizeEnvironment utility is integrated to manage and redact environment variables based on request configuration, preventing sensitive information leakage into the sandbox.
• Extensible Path Binding: The manager supports binding additional user-defined paths into the sandbox, allowing for flexible access to necessary resources beyond the workspace.

Changelog

• packages/core/src/sandbox/linux/LinuxSandboxManager.test.ts
  • Added a new test file containing unit tests for the LinuxSandboxManager to verify its bwrap argument generation logic and path binding capabilities.
• packages/core/src/sandbox/linux/LinuxSandboxManager.ts
  • Added a new file implementing the LinuxSandboxManager class, which is responsible for constructing bubblewrap commands with appropriate isolation and binding options based on sandbox requests.

Activity

• The author has validated the changes on Linux using npm run.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +2.27 kB (+0.01%)

Total Size: 26.2 MB

Filename	Size	Change
./bundle/chunk-D4UIQLPZ.js	0 B	-13.5 MB (removed)	🏆
./bundle/chunk-VHGQ6DP2.js	0 B	-3.62 MB (removed)	🏆
./bundle/core-J3LLDXJD.js	0 B	-41.1 kB (removed)	🏆
./bundle/devtoolsService-Z6FZLLHM.js	0 B	-27.7 kB (removed)	🏆
./bundle/interactiveCli-S5LCTDKV.js	0 B	-1.6 MB (removed)	🏆
./bundle/oauth2-provider-OYD37VZO.js	0 B	-9.19 kB (removed)	🏆
./bundle/chunk-H6JKIVE5.js	13.5 MB	+13.5 MB (new file)	🆕
./bundle/chunk-PK33Z7LK.js	3.62 MB	+3.62 MB (new file)	🆕
./bundle/core-KKOU42J7.js	41.1 kB	+41.1 kB (new file)	🆕
./bundle/devtoolsService-BATSMCBH.js	27.7 kB	+27.7 kB (new file)	🆕
./bundle/interactiveCli-KXWFWSIM.js	1.6 MB	+1.6 MB (new file)	🆕
./bundle/oauth2-provider-X3QBXIKG.js	9.19 kB	+9.19 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size
./bundle/chunk-34MYV7JD.js	2.45 kB
./bundle/chunk-37ZTTFQF.js	966 kB
./bundle/chunk-5AUYMPVF.js	858 B
./bundle/chunk-664ZODQF.js	124 kB
./bundle/chunk-DAHVX5MI.js	206 kB
./bundle/chunk-GUH5F274.js	1.95 MB
./bundle/chunk-IUUIT4SU.js	56.5 kB
./bundle/chunk-RJTRUG2J.js	39.8 kB
./bundle/devtools-36NN55EP.js	696 kB
./bundle/dist-T73EYRDX.js	356 B
./bundle/gemini.js	695 kB
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB
./bundle/memoryDiscovery-AXX4BZNZ.js	922 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB
./bundle/src-QVCVGIUX.js	47 kB
./bundle/tree-sitter-7U6MW5PS.js	274 kB
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB
./bundle/undici-4X2YZID5.js	360 B

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request introduces a Linux sandbox using bubblewrap. While this is a good step towards process isolation, the current implementation has significant security weaknesses. The sandbox configuration is overly permissive, allowing read-only access to the entire host filesystem and direct access to host devices. Additionally, all additional paths are mounted as read-write, violating the principle of least privilege, and the environment sanitization logic can be bypassed, potentially leaking sensitive host environment variables. These issues need to be addressed to ensure effective isolation, requiring differentiation between read-only and read-write paths and corresponding test updates.