Skip to content

feat(run): port-scope macOS sandbox-exec loopback to Firma endpoints#233

Merged
luca-iachini merged 2 commits into
mainfrom
fir-383-macos-loopback-scope
Jul 8, 2026
Merged

feat(run): port-scope macOS sandbox-exec loopback to Firma endpoints#233
luca-iachini merged 2 commits into
mainfrom
fir-383-macos-loopback-scope

Conversation

@luca-iachini

@luca-iachini luca-iachini commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

What

macOS experimental sandbox-exec structural mode: the TrustedBSD MAC profile denies all outbound, then re-allows loopback only to the proxy bridge and DNS stub ports (previously all of loopback was reachable). Other host loopback services are now denied.

Structural block only — sandbox-exec denials are not delivered to the Sidecar, so macOS emits no per-attempt signed audit event (known gap vs the Linux seccomp guard).

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 96.10390% with 3 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/firma-run/src/backend/macos_vz.rs 96.10% 2 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@luca-iachini luca-iachini requested a review from falcucci July 6, 2026 16:30
Scope sandbox-exec loopback access to Firma's own ports so the wrapped
agent cannot reach other local services.
@luca-iachini luca-iachini force-pushed the fir-383-macos-loopback-scope branch from 02bfde9 to 18bd696 Compare July 8, 2026 09:20
@luca-iachini luca-iachini merged commit 77b34b3 into main Jul 8, 2026
15 checks passed
@luca-iachini luca-iachini deleted the fir-383-macos-loopback-scope branch July 8, 2026 09:48
luca-iachini added a commit that referenced this pull request Jul 8, 2026
## What

Documents the loopback egress enforcement model across backends:

- `docs-site/src/content/docs/concepts/sandbox.md` — new **Loopback
blocking** section (Linux seccomp guard, macOS sandbox-exec port-scope,
proxy-only backends), updated network-boundary / proxy-bridge prose, and
structural/invariant tables.
- `crates/firma-run/src/backend/windows_wsl2.rs` — comment documenting
the WSL2/Windows gap: the seccomp guard is Linux-host-only and not wired
across the Windows->guest boundary; WSL2 stays proxy-only.

`llms.txt` audit-channel + `network.loopback` action-class registry
entries land in the branches that own them (#231 base; #232 linux; #233
macOS).

## Stack

Based on #231 (audit channel, for the `network.loopback` model). Part of
the fir-383 split replacing #216.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant