Skip to content

Add bubblewrap filesystem isolation for recursive child processes#1

Draft
rawwerks wants to merge 6 commits intoopenprose:mainfrom
rawwerks:bwrap-isolation
Draft

Add bubblewrap filesystem isolation for recursive child processes#1
rawwerks wants to merge 6 commits intoopenprose:mainfrom
rawwerks:bwrap-isolation

Conversation

@rawwerks
Copy link

@rawwerks rawwerks commented Mar 9, 2026
edited
Loading

Summary

  • Recursive child rlm processes (depth > 0) now re-exec inside bubblewrap with --tmp-overlay on RLM_PROJECT_DIR, giving each child a private copy-on-write view of the project directory
  • Parallel children cannot conflict with each other or corrupt the parent's filesystem — writes are captured in an invisible tmpfs overlay
  • The /rlm/tree directory is bind-mounted writable through the sandbox so trace files and RETURN answer files remain visible to the parent
  • Docker image now builds bubblewrap 0.11.0 from source (Ubuntu 24.04 ships 0.9.0, overlay support requires >= 0.10.0)
  • Set RLM_ISOLATION=none to disable; defaults to bwrap when bubblewrap is available

Test plan

  • 5 unit tests for guard conditions (mock mode, isolation=none, default detection)
  • 5 mechanical bwrap invariant tests (overlay captures writes, blocks deletions, bind-mount pass-through, read-through, parallel isolation)
  • 6 E2E tests with real LLM calls (child cannot delete/overwrite, child can read, parallel children, RETURN through isolation, control test with bwrap disabled)
  • Docker build: docker build -t rlm . — bwrap 0.11.0 confirmed
  • Manual: recursive delegation in Docker returns correct answer through bwrap isolation

🤖 Generated with Claude Code

rawwerks and others added 6 commits March 8, 2026 22:07
@rawwerks @claude
Add bubblewrap filesystem isolation for child processes
22bfea3 
Child rlm invocations (depth > 0) re-exec inside bwrap with an overlayfs
on RLM_PROJECT_DIR. Writes are captured in a private upper dir — parallel
children cannot conflict with each other or corrupt the parent's data.
The /rlm/tree directory is bind-mounted writable through the sandbox so
trace files and RETURN answer files remain visible to the parent.

Guards: skipped in mock mode (_RLM_MOCK_DIR), when bwrap is not installed,
when already inside bwrap (_RLM_IN_BWRAP), or when RLM_ISOLATION=none.

New environment variables:
  RLM_ISOLATION    — bwrap (default) or none
  RLM_PROJECT_DIR  — directory to overlay (default: cwd at root depth)

Tests:
  test/bwrap.bats  — 10 unit tests (5 mock-mode guards, 5 mechanical
                     bwrap invariants that run bwrap directly, no LLM)
  e2e/bwrap.bats   — 6 end-to-end tests with real LLM calls (delete
                     protection, overwrite protection, read-through,
                     parallel isolation, RETURN through sandbox, control
                     test with isolation disabled)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rawwerks @claude
Build bubblewrap 0.11.0 from source in Docker image
904fa5b 
Ubuntu 24.04 ships bwrap 0.9.0 which lacks --overlay-src support
(added in 0.10.0). Multi-stage build compiles bwrap 0.11.0 and copies
the binary into the final image. Build tools are discarded in the
builder stage to keep the image small.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rawwerks @claude
Use --tmp-overlay for Docker compatibility
857a1a9 
Replaces explicit --overlay (with host-managed upper/work dirs) with
--tmp-overlay (bwrap-managed invisible tmpfs). This avoids the nested
overlayfs problem inside Docker containers where the rootfs is already
overlay2. Simpler code, works on host, Docker, and VMs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rawwerks @claude
Address review feedback: remove /context/ from prompt, clarify tests
25d8264 
Remove misleading /context/ reference from system prompt — /context/ is
not bind-mounted writable through bwrap, so children cannot write to it.
Add comment in mechanical tests explaining why they use --overlay instead
of --tmp-overlay (to inspect the upper dir; E2E tests cover the real path).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rawwerks @claude
Address PR review: remove out-of-scope plugins from Dockerfile, add c…
7147fad 
…omments

- Remove plugins COPY/ENV from Dockerfile (unrelated to bwrap isolation)
- Add comment explaining RLM_PROJECT_DIR=/ fallback behavior
- Add comment noting /tmp bind-mount precedence over overlay

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rawwerks @claude
Fix shell syntax error: move comment out of line continuation
008982a 
The inline comment after backslash-continuation would cause a runtime
syntax error. Move the /tmp caveat into the comment block above.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rawwerks