Merge pull request #149 from docker/sandboxing

Implement llama.cpp sandboxing for macOS and Windows

Author: xenoscopic

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/google/go-containerregistry v0.20.3
 	github.com/gpustack/gguf-parser-go v0.14.1
 	github.com/jaypipes/ghw v0.16.0
+	github.com/kolesnikovae/go-winjob v1.0.0
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
@@ -59,7 +60,7 @@ require (
 	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
 	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/tools v0.32.0 // indirect
 	gonum.org/v1/gonum v0.15.1 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
@@ -68,3 +69,5 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
 )
+
+replace github.com/kolesnikovae/go-winjob => github.com/docker/go-winjob v0.0.0-20250829235554-57b487ebcbc5

go.sum

@@ -38,6 +38,8 @@ github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBi
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
 github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
+github.com/docker/go-winjob v0.0.0-20250829235554-57b487ebcbc5 h1:dxSFEb0EEmvceIawSFNDMrvKakRz2t+2WYpY3dFAT04=
+github.com/docker/go-winjob v0.0.0-20250829235554-57b487ebcbc5/go.mod h1:ICOGmIXdwhfid7rQP+tLvDJqVg0lHdEk3pI5nsapTtg=
 github.com/docker/model-distribution v0.0.0-20250822172258-8fe9daa4a4da h1:ml99WBfcLnsy1frXQR4X+5WAC0DoGtwZyGoU/xBsDQM=
 github.com/docker/model-distribution v0.0.0-20250822172258-8fe9daa4a4da/go.mod h1:dThpO9JoG5Px3i+rTluAeZcqLGw8C0qepuEL4gL2o/c=
 github.com/elastic/go-sysinfo v1.15.3 h1:W+RnmhKFkqPTCRoFq2VCTmsT4p/fwpo+3gKNQsn1XU0=
@@ -156,8 +158,8 @@ golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
 golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
 golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=

pkg/inference/backends/llamacpp/llamacpp.go

@@ -2,6 +2,7 @@ package llamacpp
 
 import (
 	"bufio"
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -24,6 +25,7 @@ import (
 	"github.com/docker/model-runner/pkg/inference/config"
 	"github.com/docker/model-runner/pkg/inference/models"
 	"github.com/docker/model-runner/pkg/logging"
+	"github.com/docker/model-runner/pkg/sandbox"
 	"github.com/docker/model-runner/pkg/tailbuffer"
 )
 
@@ -153,30 +155,33 @@ func (l *llamaCpp) Run(ctx context.Context, socket, model string, mode inference
 	}
 
 	l.log.Infof("llamaCppArgs: %v", args)
-	llamaCppProcess := exec.CommandContext(
+	tailBuf := tailbuffer.NewTailBuffer(1024)
+	serverLogStream := l.serverLog.Writer()
+	out := io.MultiWriter(serverLogStream, tailBuf)
+	llamaCppSandbox, err := sandbox.Create(
 		ctx,
+		sandbox.ConfigurationLlamaCpp,
+		func(command *exec.Cmd) {
+			command.Cancel = func() error {
+				if runtime.GOOS == "windows" {
+					return command.Process.Kill()
+				}
+				return command.Process.Signal(os.Interrupt)
+			}
+			command.Stdout = serverLogStream
+			command.Stderr = out
+		},
 		filepath.Join(binPath, "com.docker.llama-server"),
 		args...,
 	)
-	llamaCppProcess.Cancel = func() error {
-		if runtime.GOOS == "windows" {
-			return llamaCppProcess.Process.Kill()
-		}
-		return llamaCppProcess.Process.Signal(os.Interrupt)
-	}
-	tailBuf := tailbuffer.NewTailBuffer(1024)
-	serverLogStream := l.serverLog.Writer()
-	out := io.MultiWriter(serverLogStream, tailBuf)
-	llamaCppProcess.Stdout = serverLogStream
-	llamaCppProcess.Stderr = out
-
-	if err := llamaCppProcess.Start(); err != nil {
+	if err != nil {
 		return fmt.Errorf("unable to start llama.cpp: %w", err)
 	}
+	defer llamaCppSandbox.Close()
 
 	llamaCppErrors := make(chan error, 1)
 	go func() {
-		llamaCppErr := llamaCppProcess.Wait()
+		llamaCppErr := llamaCppSandbox.Command().Wait()
 		serverLogStream.Close()
 
 		errOutput := new(strings.Builder)
@@ -351,16 +356,27 @@ func (l *llamaCpp) checkGPUSupport(ctx context.Context) bool {
 	if l.updatedLlamaCpp {
 		binPath = l.updatedServerStoragePath
 	}
-	out, err := exec.CommandContext(
+	var output bytes.Buffer
+	llamaCppSandbox, err := sandbox.Create(
 		ctx,
+		sandbox.ConfigurationLlamaCpp,
+		func(command *exec.Cmd) {
+			command.Stdout = &output
+			command.Stderr = &output
+		},
 		filepath.Join(binPath, "com.docker.llama-server"),
 		"--list-devices",
-	).CombinedOutput()
+	)
 	if err != nil {
-		l.log.Warnf("Failed to determine if llama-server is built with GPU support: %s", err)
+		l.log.Warnf("Failed to start sandboxed llama.cpp process to probe GPU support: %v", err)
+		return false
+	}
+	defer llamaCppSandbox.Close()
+	if err := llamaCppSandbox.Command().Wait(); err != nil {
+		l.log.Warnf("Failed to determine if llama-server is built with GPU support: %v", err)
 		return false
 	}
-	sc := bufio.NewScanner(strings.NewReader(string(out)))
+	sc := bufio.NewScanner(strings.NewReader(string(output.Bytes())))
 	expectDev := false
 	devRe := regexp.MustCompile(`\s{2}.*:\s`)
 	ndevs := 0

pkg/sandbox/sandbox.go

@@ -0,0 +1,13 @@
+package sandbox
+
+import (
+	"os/exec"
+)
+
+// Sandbox encapsulates a single running sandboxed process.
+type Sandbox interface {
+	// Command returns the sandboxed process handle.
+	Command() *exec.Cmd
+	// Close closes the sandbox, terminating the process if it's still running.
+	Close() error
+}

pkg/sandbox/sandbox_darwin.go

@@ -0,0 +1,158 @@
+package sandbox
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"strings"
+)
+
+// ConfigurationLlamaCpp is the sandbox configuration for llama.cpp processes.
+const ConfigurationLlamaCpp = `(version 1)
+
+;;; Keep a default allow policy (because encoding things like DYLD support and
+;;; device access is quite difficult), but deny critical exploitation targets
+;;; (generally aligned with the App Sandbox entitlements that aren't on by
+;;; default). In theory we'll be subject to the Docker.app sandbox as well
+;;; (unless we're running standalone), but even Docker.app has a very privileged
+;;; sandbox, so we need additional constraints.
+;;;
+;;; Note: The following are known to be required at some level for llama.cpp
+;;; (though we could further experiment to deny certain sub-permissions):
+;;;   - authorization
+;;;   - darwin
+;;;   - iokit
+;;;   - mach
+;;;   - socket
+;;;   - syscall
+;;;   - process
+(allow default)
+
+;;; Deny network access, except for our IPC sockets.
+;;; NOTE: We use different socket nomenclature when running in Docker Desktop
+;;; (inference-N.sock) vs. standalone (inference-runner-N.sock), so we use a
+;;; wildcard to support both.
+(deny network*)
+(allow network-bind network-inbound
+    (regex #"inference.*-[0-9]+\.sock$"))
+
+;;; Deny access to the camera and microphone.
+(deny device*)
+
+;;; Deny access to NVRAM settings.
+(deny nvram*)
+
+;;; Deny access to system-level privileges.
+(deny system*)
+
+;;; Deny access to job creation.
+(deny job-creation)
+
+;;; Don't allow new executable code to be created in memory at runtime.
+(deny dynamic-code-generation)
+
+;;; Disable access to user preferences.
+(deny user-preference*)
+
+;;; Restrict file access.
+;;; NOTE: For some reason, the (home-subpath "...") predicate used in system
+;;; sandbox profiles doesn't work with sandbox-exec.
+;;; NOTE: We have to allow access to the working directory for standalone mode.
+;;; NOTE: We have to allow access to a regex-based Docker.app location to
+;;; support Docker Desktop development as well as Docker.app installs that don't
+;;; live inside /Applications.
+;;; NOTE: For some reason (deny file-read*) really doesn't like to play nice
+;;; with llama.cpp, so for that reason we'll avoid a blanket ban and just ban
+;;; directories that might contain sensitive data.
+(deny file-map-executable)
+(deny file-write*)
+(deny file-read*
+    (subpath "/Applications")
+    (subpath "/private/etc")
+    (subpath "/Library")
+    (subpath "/Users")
+    (subpath "/Volumes"))
+(allow file-read* file-map-executable
+    (subpath "/usr")
+    (subpath "/System")
+    (regex #"Docker\.app/Contents/Resources/model-runner")
+    (subpath "[HOMEDIR]/.docker/bin/inference")
+    (subpath "[HOMEDIR]/.docker/bin/lib"))
+(allow file-write*
+    (literal "/dev/null")
+    (subpath "/private/var")
+    (subpath "[HOMEDIR]/Library/Containers/com.docker.docker/Data")
+    (subpath "[WORKDIR]"))
+(allow file-read*
+    (subpath "[HOMEDIR]/.docker/models")
+    (subpath "[HOMEDIR]/Library/Containers/com.docker.docker/Data")
+    (subpath "[WORKDIR]"))
+`
+
+// sandbox is the Darwin sandbox implementation.
+type sandbox struct {
+	// cancel cancels the context associated with the process.
+	cancel context.CancelFunc
+	// command is the sandboxed process handle.
+	command *exec.Cmd
+}
+
+// Command implements Sandbox.Command.
+func (s *sandbox) Command() *exec.Cmd {
+	return s.command
+}
+
+// Command implements Sandbox.Close.
+func (s *sandbox) Close() error {
+	s.cancel()
+	return nil
+}
+
+// Create creates a sandbox containing a single process that has been started.
+// The ctx, name, and arg arguments correspond to their counterparts in
+// os/exec.CommandContext. The configuration argument specifies the sandbox
+// configuration, for which a pre-defined value should be used. The modifier
+// function allows for an optional callback (which may be nil) to configure the
+// command before it is started.
+func Create(ctx context.Context, configuration string, modifier func(*exec.Cmd), name string, arg ...string) (Sandbox, error) {
+	// Look up the user's home directory.
+	currentUser, err := user.Current()
+	if err != nil {
+		return nil, fmt.Errorf("unable to lookup user: %w", err)
+	}
+
+	// Look up the working directory.
+	currentDirectory, err := os.Getwd()
+	if err != nil {
+		return nil, fmt.Errorf("unable to determine working directory: %w", err)
+	}
+
+	// Process template arguments in the configuration. We should switch to
+	// text/template if this gets any more complex.
+	profile := strings.ReplaceAll(configuration, "[HOMEDIR]", currentUser.HomeDir)
+	profile = strings.ReplaceAll(profile, "[WORKDIR]", currentDirectory)
+
+	// Create a subcontext we can use to regulate the process lifetime.
+	ctx, cancel := context.WithCancel(ctx)
+
+	// Create and configure the command.
+	sandboxedArgs := make([]string, 0, len(arg)+3)
+	sandboxedArgs = append(sandboxedArgs, "-p", profile, name)
+	sandboxedArgs = append(sandboxedArgs, arg...)
+	command := exec.CommandContext(ctx, "sandbox-exec", sandboxedArgs...)
+	if modifier != nil {
+		modifier(command)
+	}
+
+	// Start the process.
+	if err := command.Start(); err != nil {
+		cancel()
+		return nil, fmt.Errorf("unable to start sandboxed process: %w", err)
+	}
+	return &sandbox{
+		cancel:  cancel,
+		command: command,
+	}, nil
+}

pkg/sandbox/sandbox_other.go

@@ -0,0 +1,58 @@
+//go:build !darwin && !windows
+
+package sandbox
+
+import (
+	"context"
+	"fmt"
+	"os/exec"
+)
+
+// ConfigurationLlamaCpp is the sandbox configuration for llama.cpp processes.
+const ConfigurationLlamaCpp = ``
+
+// sandbox is the non-Darwin POSIX sandbox implementation.
+type sandbox struct {
+	// cancel cancels the context associated with the process.
+	cancel context.CancelFunc
+	// command is the sandboxed process handle.
+	command *exec.Cmd
+}
+
+// Command implements Sandbox.Command.
+func (s *sandbox) Command() *exec.Cmd {
+	return s.command
+}
+
+// Command implements Sandbox.Close.
+func (s *sandbox) Close() error {
+	s.cancel()
+	return nil
+}
+
+// Create creates a sandbox containing a single process that has been started.
+// The ctx, name, and arg arguments correspond to their counterparts in
+// os/exec.CommandContext. The configuration argument specifies the sandbox
+// configuration, for which a pre-defined value should be used. The modifier
+// function allows for an optional callback (which may be nil) to configure the
+// command before it is started.
+func Create(ctx context.Context, configuration string, modifier func(*exec.Cmd), name string, arg ...string) (Sandbox, error) {
+	// Create a subcontext we can use to regulate the process lifetime.
+	ctx, cancel := context.WithCancel(ctx)
+
+	// Create and configure the command.
+	command := exec.CommandContext(ctx, name, arg...)
+	if modifier != nil {
+		modifier(command)
+	}
+
+	// Start the process.
+	if err := command.Start(); err != nil {
+		cancel()
+		return nil, fmt.Errorf("unable to start process: %w", err)
+	}
+	return &sandbox{
+		cancel:  cancel,
+		command: command,
+	}, nil
+}