Local provider jobs run through sandboxes and add subprocess monitoring#1671
Local provider jobs run through sandboxes and add subprocess monitoring#1671
Conversation
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
Paragon SummaryThis pull request review identified 4 issues across 4 categories in 3 files. The review analyzed code changes, potential bugs, security vulnerabilities, performance issues, and code quality concerns using automated analysis tools. This PR routes local provider jobs through sandboxed execution instead of running them directly, improving isolation for local job runs. It also updates the local provider setup to support the sandbox workflow end to end. Key changes:
Confidence score: 2/5
3 files reviewed, 4 comments Severity breakdown: Critical: 1, High: 1, Medium: 1, Low: 1 Tip: |
![paragon-review[bot]](https://avatars.githubusercontent.com/in/1544258?s=60&v=4){kind=small}
|
Would it be helpful to use the bwrap wrapper bubblejail? Some reading I did said it will prevent some issues by wrapping bwrap and prevent the issues mentioned above -- kinds of bugs a maintained library would have already caught. |
aliasaria
changed the title
deep1401
changed the title
Okay I didnt know about bubblejail will check that out |
Ended up sticking with bubblewrap because the others seemed to be nicer if we wanted a more high level GUI solution. Since we have static flags for our sandbox, I ended up sticking with bwrap for more low level access |
2 participants
No description provided.