|
| 1 | +#!/usr/bin/env python3 |
| 2 | +""" |
| 3 | +Example usage of Sandboxed Command Executor. |
| 4 | +
|
| 5 | +This demonstrates how to use the sandbox executor to safely run AI-generated commands. |
| 6 | +""" |
| 7 | + |
| 8 | +from sandbox_executor import SandboxExecutor, CommandBlocked |
| 9 | + |
| 10 | + |
| 11 | +def example_basic_usage(): |
| 12 | + """Basic usage example.""" |
| 13 | + print("=== Basic Usage ===") |
| 14 | + |
| 15 | + # Create executor |
| 16 | + executor = SandboxExecutor() |
| 17 | + |
| 18 | + # Execute a safe command |
| 19 | + try: |
| 20 | + result = executor.execute('echo "Hello, Cortex!"') |
| 21 | + print(f"Exit code: {result.exit_code}") |
| 22 | + print(f"Output: {result.stdout}") |
| 23 | + print(f"Execution time: {result.execution_time:.2f}s") |
| 24 | + except CommandBlocked as e: |
| 25 | + print(f"Command blocked: {e}") |
| 26 | + |
| 27 | + |
| 28 | +def example_dry_run(): |
| 29 | + """Dry-run mode example.""" |
| 30 | + print("\n=== Dry-Run Mode ===") |
| 31 | + |
| 32 | + executor = SandboxExecutor() |
| 33 | + |
| 34 | + # Preview what would execute |
| 35 | + result = executor.execute('apt-get update', dry_run=True) |
| 36 | + print(f"Preview: {result.preview}") |
| 37 | + print(f"Output: {result.stdout}") |
| 38 | + |
| 39 | + |
| 40 | +def example_blocked_commands(): |
| 41 | + """Example of blocked commands.""" |
| 42 | + print("\n=== Blocked Commands ===") |
| 43 | + |
| 44 | + executor = SandboxExecutor() |
| 45 | + |
| 46 | + dangerous_commands = [ |
| 47 | + 'rm -rf /', |
| 48 | + 'dd if=/dev/zero of=/dev/sda', |
| 49 | + 'mkfs.ext4 /dev/sda1', |
| 50 | + ] |
| 51 | + |
| 52 | + for cmd in dangerous_commands: |
| 53 | + try: |
| 54 | + result = executor.execute(cmd) |
| 55 | + print(f"Unexpected: {cmd} was allowed") |
| 56 | + except CommandBlocked as e: |
| 57 | + print(f"✓ Blocked: {cmd} - {e}") |
| 58 | + |
| 59 | + |
| 60 | +def example_with_rollback(): |
| 61 | + """Example with rollback capability.""" |
| 62 | + print("\n=== Rollback Example ===") |
| 63 | + |
| 64 | + executor = SandboxExecutor(enable_rollback=True) |
| 65 | + |
| 66 | + # Execute a command that might fail |
| 67 | + try: |
| 68 | + result = executor.execute('invalid-command-that-fails') |
| 69 | + if result.failed: |
| 70 | + print(f"Command failed, rollback triggered") |
| 71 | + print(f"Stderr: {result.stderr}") |
| 72 | + except CommandBlocked as e: |
| 73 | + print(f"Command blocked: {e}") |
| 74 | + |
| 75 | + |
| 76 | +def example_audit_logging(): |
| 77 | + """Example of audit logging.""" |
| 78 | + print("\n=== Audit Logging ===") |
| 79 | + |
| 80 | + executor = SandboxExecutor() |
| 81 | + |
| 82 | + # Execute some commands |
| 83 | + try: |
| 84 | + executor.execute('echo "test1"', dry_run=True) |
| 85 | + executor.execute('echo "test2"', dry_run=True) |
| 86 | + except: |
| 87 | + pass |
| 88 | + |
| 89 | + # Get audit log |
| 90 | + audit_log = executor.get_audit_log() |
| 91 | + print(f"Total log entries: {len(audit_log)}") |
| 92 | + |
| 93 | + for entry in audit_log[-5:]: # Last 5 entries |
| 94 | + print(f" - {entry['timestamp']}: {entry['command']} (type: {entry['type']})") |
| 95 | + |
| 96 | + # Save audit log |
| 97 | + executor.save_audit_log('audit_log.json') |
| 98 | + print("Audit log saved to audit_log.json") |
| 99 | + |
| 100 | + |
| 101 | +def example_resource_limits(): |
| 102 | + """Example of resource limits.""" |
| 103 | + print("\n=== Resource Limits ===") |
| 104 | + |
| 105 | + # Create executor with custom limits |
| 106 | + executor = SandboxExecutor( |
| 107 | + max_cpu_cores=1, |
| 108 | + max_memory_mb=1024, |
| 109 | + max_disk_mb=512, |
| 110 | + timeout_seconds=60 |
| 111 | + ) |
| 112 | + |
| 113 | + print(f"CPU limit: {executor.max_cpu_cores} cores") |
| 114 | + print(f"Memory limit: {executor.max_memory_mb} MB") |
| 115 | + print(f"Disk limit: {executor.max_disk_mb} MB") |
| 116 | + print(f"Timeout: {executor.timeout_seconds} seconds") |
| 117 | + |
| 118 | + |
| 119 | +def example_sudo_commands(): |
| 120 | + """Example of sudo command handling.""" |
| 121 | + print("\n=== Sudo Commands ===") |
| 122 | + |
| 123 | + executor = SandboxExecutor() |
| 124 | + |
| 125 | + # Allowed sudo commands (package installation) |
| 126 | + allowed_sudo = [ |
| 127 | + 'sudo apt-get install python3', |
| 128 | + 'sudo pip install numpy', |
| 129 | + ] |
| 130 | + |
| 131 | + for cmd in allowed_sudo: |
| 132 | + is_valid, violation = executor.validate_command(cmd) |
| 133 | + if is_valid: |
| 134 | + print(f"✓ Allowed: {cmd}") |
| 135 | + else: |
| 136 | + print(f"✗ Blocked: {cmd} - {violation}") |
| 137 | + |
| 138 | + # Blocked sudo commands |
| 139 | + blocked_sudo = [ |
| 140 | + 'sudo rm -rf /', |
| 141 | + 'sudo chmod 777 /', |
| 142 | + ] |
| 143 | + |
| 144 | + for cmd in blocked_sudo: |
| 145 | + is_valid, violation = executor.validate_command(cmd) |
| 146 | + if not is_valid: |
| 147 | + print(f"✓ Blocked: {cmd} - {violation}") |
| 148 | + |
| 149 | + |
| 150 | +def example_status_check(): |
| 151 | + """Check system status and configuration.""" |
| 152 | + print("\n=== System Status ===") |
| 153 | + |
| 154 | + executor = SandboxExecutor() |
| 155 | + |
| 156 | + # Check Firejail availability |
| 157 | + if executor.is_firejail_available(): |
| 158 | + print("✓ Firejail is available - Full sandbox isolation enabled") |
| 159 | + print(f" Firejail path: {executor.firejail_path}") |
| 160 | + else: |
| 161 | + print("⚠ Firejail not found - Using fallback mode (reduced security)") |
| 162 | + print(" Install with: sudo apt-get install firejail") |
| 163 | + |
| 164 | + # Show configuration |
| 165 | + print(f"\nResource Limits:") |
| 166 | + print(f" CPU: {executor.max_cpu_cores} cores") |
| 167 | + print(f" Memory: {executor.max_memory_mb} MB") |
| 168 | + print(f" Disk: {executor.max_disk_mb} MB") |
| 169 | + print(f" Timeout: {executor.timeout_seconds} seconds") |
| 170 | + print(f" Rollback: {'Enabled' if executor.enable_rollback else 'Disabled'}") |
| 171 | + |
| 172 | + |
| 173 | +def example_command_validation(): |
| 174 | + """Demonstrate command validation.""" |
| 175 | + print("\n=== Command Validation ===") |
| 176 | + |
| 177 | + executor = SandboxExecutor() |
| 178 | + |
| 179 | + test_commands = [ |
| 180 | + ('echo "test"', True), |
| 181 | + ('python3 --version', True), |
| 182 | + ('rm -rf /', False), |
| 183 | + ('sudo apt-get install python3', True), |
| 184 | + ('sudo rm -rf /', False), |
| 185 | + ('nc -l 1234', False), # Not whitelisted |
| 186 | + ] |
| 187 | + |
| 188 | + for cmd, expected_valid in test_commands: |
| 189 | + is_valid, violation = executor.validate_command(cmd) |
| 190 | + status = "✓" if (is_valid == expected_valid) else "✗" |
| 191 | + result = "ALLOWED" if is_valid else "BLOCKED" |
| 192 | + print(f"{status} {result}: {cmd}") |
| 193 | + if not is_valid and violation: |
| 194 | + print(f" Reason: {violation}") |
| 195 | + |
| 196 | + |
| 197 | +def main(): |
| 198 | + """Run all examples.""" |
| 199 | + print("=" * 60) |
| 200 | + print("Sandboxed Command Executor - Usage Examples") |
| 201 | + print("=" * 60) |
| 202 | + |
| 203 | + example_status_check() |
| 204 | + example_basic_usage() |
| 205 | + example_dry_run() |
| 206 | + example_command_validation() |
| 207 | + example_blocked_commands() |
| 208 | + example_with_rollback() |
| 209 | + example_audit_logging() |
| 210 | + example_resource_limits() |
| 211 | + example_sudo_commands() |
| 212 | + |
| 213 | + print("\n" + "=" * 60) |
| 214 | + print("Examples Complete") |
| 215 | + print("=" * 60) |
| 216 | + print("\nSummary:") |
| 217 | + print(" ✓ Command validation working") |
| 218 | + print(" ✓ Security blocking active") |
| 219 | + print(" ✓ Dry-run mode functional") |
| 220 | + print(" ✓ Audit logging enabled") |
| 221 | + print(" ✓ Resource limits configured") |
| 222 | + print(" ✓ Sudo restrictions enforced") |
| 223 | + |
| 224 | + |
| 225 | +if __name__ == '__main__': |
| 226 | + main() |
| 227 | + |
0 commit comments