Exposing the unfiltered buildbox-casd socket would result in exposing access to the host filesystem via the LocalCAS protocol.

An option that may be safe (to be reviewed) would be to change the instance name to a random token, generated in each BuildStream session, and then use GetInstanceNameForNamespace() to create a second instance that is then exposed to the sandbox.

Ideally, REAPI upstream would define a standard way how REAPI access can be exposed to a the action command. This shouldn't be buildbox-casd-specific and should also be supported with remote execution. Maybe configured by platform property.

use GetInstanceNameForNamespace() to create a second instance that is then exposed to the sandbox.

I'm not sure how this works: does it create a "sandboxed" instance somehow or is it just to have the LocalCas methods apply on the sandbox instead of the host?

But this indeed needs to put some thoughts on what exactly we want to provide to the sandboxes: just CAS? CAS and action cache? do we need remote asset too? (we need to at least restrict what can be requested from remote asset). How about remote execution? maybe not by default, but it's probably what would give the most performance benefit. How about LocalCAS? do we need to restrict that?

I'm not sure how this works: does it create a "sandboxed" instance somehow or is it just to have the LocalCas methods apply on the sandbox instead of the host?

That's kind of the same thing, isn't it? Is there a particular difference between the two options that needs to be clarified? As mentioned, we should review the code to make sure it's sufficiently sandboxed, though.

just CAS? CAS and action cache? do we need remote asset too?

Yes, we certainly need to give this some more thought.

That's kind of the same thing, isn't it? Is there a particular difference between the two options that needs to be clarified?

I meant is access to the CAS somehow sandboxed? (from your answer I guess it's not). Not that I think it should be, I just wanted clarification.

Is it fair to say that #2014, which appears more complete, although in draft state, replaces this ?

Yes, #2014 replaces this PR.