summaryrefslogtreecommitdiff
path: root/scripts/sandbox_command.sh
diff options
context:
space:
mode:
authorOlcan <[email protected]>2025-05-09 08:44:40 -0700
committerGitHub <[email protected]>2025-05-09 08:44:40 -0700
commitb35a3856a28a08bda81443a6702e1ee1d4f40103 (patch)
treeef6b7cfa38d1eab9ab8a7b56edbfea51c5bbd1c3 /scripts/sandbox_command.sh
parentbaa26e9e2e55a588a4e29c0a425c14ff8e6b4ef0 (diff)
fix debugging with seatbelt, including in strict profile (#300)
Diffstat (limited to 'scripts/sandbox_command.sh')
-rwxr-xr-xscripts/sandbox_command.sh40
1 files changed, 21 insertions, 19 deletions
diff --git a/scripts/sandbox_command.sh b/scripts/sandbox_command.sh
index f527292c..1eed9ad3 100755
--- a/scripts/sandbox_command.sh
+++ b/scripts/sandbox_command.sh
@@ -54,35 +54,37 @@ if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then
done
fi
-# if GEMINI_CODE_SANDBOX is still not set, then exit immediately w/ code 1
-if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then exit 1; fi
-
# lowercase GEMINI_CODE_SANDBOX
GEMINI_CODE_SANDBOX=$(echo "${GEMINI_CODE_SANDBOX:-}" | tr '[:upper:]' '[:lower:]')
-# if GEMINI_CODE_SANDBOX is set to 0 or false, then exit immediately w/ code 1
-if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(0|false)$ ]]; then
- exit 1
-fi
-
-# if GEMINI_CODE_SANDBOX is set to 1 or true, then try to use docker or podman
+# if GEMINI_CODE_SANDBOX is set to 1|true, then try to use docker or podman
+# if non-empty and not 0|false, treat as custom command and check that it exists
+# if empty or 0|false, then fail silently (after checking for possible fallbacks)
+command=""
if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]]; then
if command -v docker &>/dev/null; then
- if [ "$QUIET" = false ]; then echo "docker"; fi
- exit 0
+ command="docker"
elif command -v podman &>/dev/null; then
- if [ "$QUIET" = false ]; then echo "podman"; fi
- exit 0
+ command="podman"
else
echo "ERROR: install docker or podman or specify command in GEMINI_CODE_SANDBOX" >&2
exit 1
fi
+elif [ -n "${GEMINI_CODE_SANDBOX:-}" ] && [[ ! "${GEMINI_CODE_SANDBOX:-}" =~ ^(0|false)$ ]]; then
+ if ! command -v "$GEMINI_CODE_SANDBOX" &>/dev/null; then
+ echo "ERROR: missing sandbox command '$GEMINI_CODE_SANDBOX' (from GEMINI_CODE_SANDBOX)" >&2
+ exit 1
+ fi
+ command="$GEMINI_CODE_SANDBOX"
+else
+ # if we are on macOS and sandbox-exec is available, use that for minimal sandboxing
+ # unless SEATBELT_PROFILE is set to 'none', which we allow as an escape hatch
+ if [ "$(uname)" = "Darwin" ] && command -v sandbox-exec &>/dev/null && [ "${SEATBELT_PROFILE:-}" != "none" ]; then
+ command="sandbox-exec"
+ else # GEMINI_CODE_SANDBOX is empty or 0|false, so we fail w/o error msg
+ exit 1
+ fi
fi
-if ! command -v "$GEMINI_CODE_SANDBOX" &>/dev/null; then
- echo "ERROR: missing sandbox command '$GEMINI_CODE_SANDBOX' (from GEMINI_CODE_SANDBOX)" >&2
- exit 1
-fi
-
-if [ "$QUIET" = false ]; then echo "$GEMINI_CODE_SANDBOX"; fi
+if [ "$QUIET" = false ]; then echo "$command"; fi
exit 0
generated by cgit v1.2.3 (git 2.51.0) at 2025-11-05 10:57:59 +0000