Sandbox Execution and Tool Protocol

Palyra employs a multi-layered security architecture to execute untrusted code and system commands. This system is designed to provide defense-in-depth by combining static validation, operating system resource limits, and kernel-level isolation namespaces.

Three-Tier Sandbox Architecture

The execution environment is divided into three distinct tiers, each offering a different trade-off between capability and isolation.

Tier	Technology	Scope	Primary Use Case
Tier-A	Wasmtime (WebAssembly)	Full Instruction Isolation	Third-party skills, untrusted logic, and cross-platform plugins.
Tier-B	rlimits / POSIX	Resource Constraints	Local process execution with CPU/Memory/FD limits on Unix systems.
Tier-C	bwrap / sandbox-exec	OS-Level Namespacing	Hardened isolation for system commands (Bubblewrap on Linux, `sandbox-exec` on macOS).

Tier-A: Wasm Runtime

Tier-A uses wasmtime to execute WebAssembly modules. It provides the highest level of isolation by abstracting the entire instruction set and memory space. Execution is metered using “fuel” to prevent infinite loops and memory exhaustion.

Tier-B: Resource Limits

Tier-B is implemented in crates/palyra-daemon/src/sandbox_runner.rs. It focuses on restricting the impact of a process on the host system using standard Unix resource controls.

CPU Time: Enforced via RLIMIT_CPU crates/palyra-daemon/src/sandbox_runner.rs#811-814.
Memory: Enforced via RLIMIT_AS or RLIMIT_DATA crates/palyra-daemon/src/sandbox_runner.rs#815-818.
Output Quota: Monitored via a background thread that polls and kills the process if max_output_bytes is exceeded crates/palyra-daemon/src/sandbox_runner.rs#219-227.

Tier-C: Kernel Isolation

Tier-C leverages platform-specific sandboxing tools to create a restricted view of the filesystem and network.

Linux: Uses bwrap (Bubblewrap) to create new PID, mount, and network namespaces crates/palyra-sandbox/src/lib.rs#130-144.
macOS: Uses sandbox-exec with a generated Scheme profile to restrict file access and network sockets crates/palyra-sandbox/src/lib.rs#250-265.

Sources:

crates/palyra-daemon/src/sandbox_runner.rs 64-93
crates/palyra-sandbox/src/lib.rs 7-35

Tool Execution Pipeline

When a model or agent requests a tool call (e.g., palyra.process.run), the request passes through a validation and execution pipeline managed by the tool_protocol.

Execution Flow Diagram

This diagram bridges the ToolCallConfig and PolicyDecision entities to the underlying execution functions. “Tool Execution Flow” Sources:

crates/palyra-daemon/src/tool_protocol.rs 20-44
crates/palyra-daemon/src/sandbox_runner.rs 147-210

Validation and Guardrails

Before any process is spawned, the sandbox_runner performs a series of “Preflight” checks to ensure the command does not violate safety boundaries.

Executable Denylist: Common shells (e.g., bash, powershell, node) are blocked by default to prevent script injection and escape crates/palyra-daemon/src/sandbox_runner.rs#30-44.
Workspace Anchoring: Commands and arguments are validated to ensure they only refer to paths within the configured workspace_root. Any attempt to use .. or absolute paths outside the root results in a WorkspaceScopeDenied error crates/palyra-daemon/src/sandbox_runner.rs#172-180.
Input Shape: The JSON payload is parsed into ProcessRunnerToolInput and checked for maximum argument counts and lengths crates/palyra-common/src/process_runner_input.rs#7-17.

Egress Enforcement Modes

Palyra manages network access through three modes defined in EgressEnforcementMode crates/palyra-daemon/src/sandbox_runner.rs#47-62:

None: No network restrictions applied.
Preflight: Validates the requested_egress_hosts against the allowed_egress_hosts list in the policy before execution.
Strict: Requires the underlying Tier-C backend to support runtime network isolation (e.g., unshare-net in Bubblewrap). If the backend cannot enforce it, the execution is denied crates/palyra-daemon/src/sandbox_runner.rs#192-194.

Sources:

crates/palyra-daemon/src/sandbox_runner.rs 167-196
crates/palyra-common/src/process_runner_input.rs 26-31

Output Quota and Capture

To prevent Denial of Service (DoS) via log flooding or massive output, the sandbox captures stdout and stderr with a strict quota.

Capture Mechanism

The execute_process function initializes a StreamCapture for both output pipes. A monitoring loop reads chunks of data (default 4KB) and increments an AtomicUsize counter. “Output Capture & Quota Logic” If the total bytes read from both streams exceed the max_output_bytes defined in the SandboxProcessRunnerPolicy, the child process is immediately terminated crates/palyra-daemon/src/sandbox_runner.rs#219-227. Sources:

crates/palyra-daemon/src/sandbox_runner.rs 131-146
crates/palyra-daemon/src/sandbox_runner.rs 92-93

Implementation Details: Tier-C Backends

The palyra-sandbox crate abstracts the complexities of platform-specific isolation into the TierCBackend trait crates/palyra-sandbox/src/lib.rs#81-91.

Linux (Bubblewrap)

The LinuxBubblewrapBackend builds a command plan that:

Clears the environment variables crates/palyra-sandbox/src/lib.rs#165.
Mounts a minimal /proc, /dev, and /tmp crates/palyra-sandbox/src/lib.rs#133-141.
Read-only binds essential system libraries (/usr, /lib, etc.) crates/palyra-sandbox/src/lib.rs#145-147.
Binds the workspace_root with write access crates/palyra-sandbox/src/lib.rs#158-163.

macOS (sandbox-exec)

The MacosSandboxExecBackend generates a temporary profile using the (version 1) syntax, specifically allowing file-read* and file-write* only for the workspace directory and necessary system paths. Sources:

crates/palyra-sandbox/src/lib.rs 107-183 (Linux)
crates/palyra-sandbox/src/lib.rs 240-270 (macOS)

​Three-Tier Sandbox Architecture

​Tier-A: Wasm Runtime

​Tier-B: Resource Limits

​Tier-C: Kernel Isolation

​Tool Execution Pipeline

​Execution Flow Diagram

​Validation and Guardrails

​Egress Enforcement Modes

​Output Quota and Capture

​Capture Mechanism

​Implementation Details: Tier-C Backends

​Linux (Bubblewrap)

​macOS (sandbox-exec)