feat: set sandbox HOME directory to /sandbox instead of /tmp

koki-develop · claude · koki-develop · commit 1cd4afdbb10d · 2026-03-10T07:03:40.000+09:00
Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/e2e/tests/security/go_runtime_attack.yml b/e2e/tests/security/go_runtime_attack.yml
@@ -206,9 +206,9 @@ tests:
               status: "OK"
               signal: null
             run:
-              stdout: "HOME=/tmp\nPATH=/usr/bin:/bin\n"
+              stdout: "HOME=/sandbox\nPATH=/usr/bin:/bin\n"
               stderr: ""
-              output: "HOME=/tmp\nPATH=/usr/bin:/bin\n"
+              output: "HOME=/sandbox\nPATH=/usr/bin:/bin\n"
               exit_code: 0
               status: "OK"
               signal: null
diff --git a/internal/sandbox/configs/nsjail.cfg b/internal/sandbox/configs/nsjail.cfg
@@ -38,7 +38,7 @@ clone_newnet: true
 iface_no_lo: true
 
 # HOME must be set because many tools read it for config/cache paths.
-envar: "HOME=/tmp"
+envar: "HOME=/sandbox"
 
 # Static rlimits (constant across all runtimes and execution steps).
 # Each requires an explicit _type: VALUE because the protobuf defaults
diff --git a/internal/sandbox/execution.go b/internal/sandbox/execution.go
@@ -70,7 +70,7 @@ func (e *execution) buildArgs() []string {
 	)
 
 	// Runtime-specific environment variables (e.g. PATH, GOROOT).
-	// HOME=/tmp is set in the config file.
+	// HOME=/sandbox is set in the config file.
 	for _, env := range e.env {
 		args = append(args, "-E", env)
 	}

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ func (e *execution) buildArgs() []string {`
`70`	`70`	`)`
`71`	`71`
`72`	`72`	`// Runtime-specific environment variables (e.g. PATH, GOROOT).`
`73`		`- // HOME=/tmp is set in the config file.`
	`73`	`+ // HOME=/sandbox is set in the config file.`
`74`	`74`	`for _, env := range e.env {`
`75`	`75`	`args = append(args, "-E", env)`
`76`	`76`	`}`