Add audit hook-based sandbox for Python workers

Implement sandboxing for Python workers using Python's audit hook
mechanism (PEP 578). This allows per-worker configuration of blocked
operations:

- file_write: Blocks open() with write/append/create modes
- file_read: Blocks all file read operations
- subprocess: Blocks subprocess.Popen, os.system, os.exec*, os.spawn*
- network: Blocks socket.* operations
- ctypes: Blocks ctypes module (memory access)
- import: Blocks non-whitelisted imports
- exec: Blocks compile(), exec(), eval()

Features:
- Strict preset (blocks subprocess, network, ctypes, file_write)
- Per-worker sandbox policy with dynamic enable/disable
- Import whitelist support
- Thread-safe policy updates via atomic flags and mutex
- High-level py:call_sandboxed/4,5 API
- Documentation in docs/sandbox.md

Author: benoitc

c_src/py_nif.c

@@ -39,6 +39,7 @@
 #include "py_nif.h"
 #include "py_asgi.h"
 #include "py_wsgi.h"
+#include "py_sandbox.h"
 
 /* ============================================================================
  * Global state definitions
@@ -138,6 +139,7 @@ static ERL_NIF_TERM build_suspended_result(ErlNifEnv *env, suspended_state_t *su
 #include "py_event_loop.c"
 #include "py_asgi.c"
 #include "py_wsgi.c"
+#include "py_sandbox.c"
 
 /* ============================================================================
  * Resource callbacks
@@ -155,6 +157,12 @@ static void worker_destructor(ErlNifEnv *env, void *obj) {
         close(worker->callback_pipe[1]);
     }
 
+    /* Clean up sandbox policy */
+    if (worker->sandbox != NULL) {
+        sandbox_policy_destroy(worker->sandbox);
+        worker->sandbox = NULL;
+    }
+
     /* Only clean up Python state if Python is still initialized */
     if (worker->thread_state != NULL && g_python_initialized) {
         PyEval_RestoreThread(worker->thread_state);
@@ -415,6 +423,13 @@ static ERL_NIF_TERM nif_py_init(ErlNifEnv *env, int argc, const ERL_NIF_TERM arg
     /* Detect execution mode based on Python version and build */
     detect_execution_mode();
 
+    /* Initialize sandbox system (audit hooks) */
+    if (init_sandbox_system() < 0) {
+        Py_Finalize();
+        g_python_initialized = false;
+        return make_error(env, "sandbox_init_failed");
+    }
+
     /* Save main thread state and release GIL for other threads */
     g_main_thread_state = PyEval_SaveThread();
 
@@ -535,9 +550,6 @@ static ERL_NIF_TERM nif_finalize(ErlNifEnv *env, int argc, const ERL_NIF_TERM ar
  * ============================================================================ */
 
 static ERL_NIF_TERM nif_worker_new(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]) {
-    (void)argc;
-    (void)argv;
-
     if (!g_python_initialized) {
         return make_error(env, "python_not_initialized");
     }
@@ -547,6 +559,28 @@ static ERL_NIF_TERM nif_worker_new(ErlNifEnv *env, int argc, const ERL_NIF_TERM
         return make_error(env, "alloc_failed");
     }
 
+    /* Initialize sandbox to NULL */
+    worker->sandbox = NULL;
+
+    /* Parse options if provided */
+    if (argc > 0 && enif_is_map(env, argv[0])) {
+        ERL_NIF_TERM sandbox_key = enif_make_atom(env, "sandbox");
+        ERL_NIF_TERM sandbox_opts;
+        if (enif_get_map_value(env, argv[0], sandbox_key, &sandbox_opts)) {
+            /* Create and configure sandbox policy */
+            worker->sandbox = sandbox_policy_new();
+            if (worker->sandbox == NULL) {
+                enif_release_resource(worker);
+                return make_error(env, "sandbox_alloc_failed");
+            }
+            if (parse_sandbox_options(env, sandbox_opts, worker->sandbox) < 0) {
+                sandbox_policy_destroy(worker->sandbox);
+                enif_release_resource(worker);
+                return make_error(env, "invalid_sandbox_options");
+            }
+        }
+    }
+
     /* Acquire GIL to create thread state */
     PyGILState_STATE gstate = PyGILState_Ensure();
 
@@ -993,6 +1027,77 @@ static ERL_NIF_TERM nif_send_callback_response(ErlNifEnv *env, int argc, const E
     return ATOM_OK;
 }
 
+/* ============================================================================
+ * Sandbox control NIFs
+ * ============================================================================ */
+
+static ERL_NIF_TERM nif_sandbox_set_policy(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]) {
+    (void)argc;
+    py_worker_t *worker;
+
+    if (!enif_get_resource(env, argv[0], WORKER_RESOURCE_TYPE, (void **)&worker)) {
+        return make_error(env, "invalid_worker");
+    }
+
+    /* Create policy if it doesn't exist */
+    if (worker->sandbox == NULL) {
+        worker->sandbox = sandbox_policy_new();
+        if (worker->sandbox == NULL) {
+            return make_error(env, "sandbox_alloc_failed");
+        }
+    }
+
+    /* Update policy with new options */
+    if (sandbox_policy_update(env, worker->sandbox, argv[1]) < 0) {
+        return make_error(env, "invalid_policy");
+    }
+
+    return ATOM_OK;
+}
+
+static ERL_NIF_TERM nif_sandbox_enable(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]) {
+    (void)argc;
+    py_worker_t *worker;
+
+    if (!enif_get_resource(env, argv[0], WORKER_RESOURCE_TYPE, (void **)&worker)) {
+        return make_error(env, "invalid_worker");
+    }
+
+    char enabled[16];
+    if (!enif_get_atom(env, argv[1], enabled, sizeof(enabled), ERL_NIF_LATIN1)) {
+        return make_error(env, "invalid_enabled");
+    }
+
+    bool enable = (strcmp(enabled, "true") == 0);
+
+    if (worker->sandbox == NULL) {
+        if (!enable) {
+            /* Already disabled - no sandbox exists */
+            return ATOM_OK;
+        }
+        /* Need to enable but no sandbox - create one with empty policy */
+        worker->sandbox = sandbox_policy_new();
+        if (worker->sandbox == NULL) {
+            return make_error(env, "sandbox_alloc_failed");
+        }
+    }
+
+    sandbox_policy_set_enabled(worker->sandbox, enable);
+    return ATOM_OK;
+}
+
+static ERL_NIF_TERM nif_sandbox_get_policy(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]) {
+    (void)argc;
+    py_worker_t *worker;
+
+    if (!enif_get_resource(env, argv[0], WORKER_RESOURCE_TYPE, (void **)&worker)) {
+        return make_error(env, "invalid_worker");
+    }
+
+    ERL_NIF_TERM policy_map = sandbox_policy_to_term(env, worker->sandbox);
+    return enif_make_tuple2(env, ATOM_OK, policy_map);
+}
+
 /* ============================================================================
  * Async worker NIFs
  * ============================================================================ */
@@ -1827,6 +1932,11 @@ static ErlNifFunc nif_funcs[] = {
     {"send_callback_response", 2, nif_send_callback_response, 0},
     {"resume_callback", 2, nif_resume_callback, 0},
 
+    /* Sandbox support */
+    {"sandbox_set_policy", 2, nif_sandbox_set_policy, 0},
+    {"sandbox_enable", 2, nif_sandbox_enable, 0},
+    {"sandbox_get_policy", 1, nif_sandbox_get_policy, 0},
+
     /* Async worker management */
     {"async_worker_new", 0, nif_async_worker_new, 0},
     {"async_worker_destroy", 1, nif_async_worker_destroy, 0},

c_src/py_nif.h

@@ -102,6 +102,9 @@
 #include <sys/select.h>
 /** @} */
 
+/* Forward declaration for sandbox policy */
+typedef struct sandbox_policy_t sandbox_policy_t;
+
 /* ============================================================================
  * Feature Detection Macros
  * ============================================================================ */
@@ -239,6 +242,9 @@ typedef struct {
 
     /** @brief Environment for building callback messages */
     ErlNifEnv *callback_env;
+
+    /** @brief Sandbox policy (NULL if no sandboxing) */
+    sandbox_policy_t *sandbox;
 } py_worker_t;
 
 /**