Sandbox Support?

[dwt]

Please explain the motivation behind the feature request.
I would very much like to give the agent more independence with command execution, but cannot do so without more restrictions to what it can do.

Sandboxing the agent is a way forward that would allow this, bubblewrap (linux) and seatbelt (darwin) can support this and do not require to run inside a docker container (which still cannot sandbox network access, which is a big problem).

Would you be up for that?

Describe the solution you'd like
If you want to go down that implementation route, I really like https://github.com/anthropic-experimental/sandbox-runtime to unify sandboxing on linux and darwin, which could greatly help getting this up and running much faster.

Describe alternatives you've considered
Docker Containers: Lots of setup, when coding on mac, switch to linux inside, hard to use and debug for inexperienced developers, bad developer UX, no network sandboxing out of the box.

• I have verified this does not duplicate an existing feature request

[taniacryptid]

Let me tag @block/goose-core-maintainers to add their thoughts on this!

[DorianZheng]

I've created a proposal for using BoxLite as a sandbox option: #6040

BoxLite provides VM-level isolation (separate kernel) without requiring a daemon, and since it's written in Rust like Goose, integration would be straightforward.

[nothingmuch]

FWIW i've found the following bubblewrap options useful for sandboxing goose itself, some of the ro-binds are nixos specific:

bwrap --unshare-all --share-net \
  --tmpfs / --dir /tmp  --proc /proc --dev /dev/ \
  --ro-bind /etc/nix{,} --ro-bind /etc/static/nix{,} \
  --ro-bind /etc/ssl{,} --ro-bind /etc/static/ssl{,} \
  --ro-bind /run/current-system{,} --ro-bind /nix/{,} \
  --bind ~/.config/goose/{,} \
  --bind "$PWD"{,} \
  goose

[DorianZheng]

Thanks for sharing your bubblewrap config @nothingmuch! That's a solid setup for namespace-based isolation.

Curious to hear more about your experience — is this working well for your use cases? Have you run into any friction with the permission restrictions, or does it cover what you need the
agent to do?

One note on the different approaches: bubblewrap restricts what the agent can do within your host environment. BoxLite takes a different approach — instead of restricting the agent, it
gives the agent a complete isolated environment where it has full permissions to do anything (install packages, modify system configs, etc.) without affecting your host.

Different trade-offs for different use cases. Bubblewrap is great for lightweight isolation when you want the agent to work directly on your files with guardrails. BoxLite is better
when you want to let the agent run wild safely.

[DOsinga]

we have sandbox support for the mac now.

The whole system is opt-in — set GOOSE_SANDBOX=true and it only works on macOS (checks for /usr/bin/sandbox-exec). The sandbox profile and proxy scripts are materialized at runtime into ~/.config/goose/sandbox/, which is itself write-protected from the sandboxed process.