feat(sandbox): dynamic Linux sandbox expansion and worktree support

[galz10]

Summary

This PR brings the Linux Sandbox manager up to feature parity with the macOS Seatbelt implementation, introducing dynamic path resolution and Git worktree support.

Details

• Extracted command validation and file system utilities (commandUtils.ts, fsUtils.ts) from the macOS sandbox implementation into a shared utils directory.
• Updated LinuxSandboxManager to utilize these shared utilities for dynamic path resolution, Git worktree access, and strict tool approval.
• Brought Linux sandbox capabilities to feature parity with macOS by supporting modeConfig overrides (readonly, network, approved tools) and dynamic file system permissions via Bubblewrap (bwrap) arguments.

Related Issues

How to Validate

• Run the Linux Sandbox unit tests: npm test -w @google/gemini-cli-core -- src/sandbox/linux/LinuxSandboxManager.test.ts
• Run integration tests on Linux to verify Bubblewrap functionality.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the Linux sandbox manager, bringing its capabilities in line with the macOS Seatbelt implementation. The changes enable dynamic path resolution and robust Git worktree support, improving the security and flexibility of sandboxed operations on Linux. This is achieved by refactoring common utilities into a shared module and integrating advanced permission management within the Linux sandbox.

Highlights

• Linux Sandbox Feature Parity: The Linux Sandbox manager now achieves feature parity with the macOS Seatbelt implementation, introducing dynamic path resolution and Git worktree support.
• Shared Utilities Extraction: Command validation and file system utilities (commandUtils.ts, fsUtils.ts) were extracted from the macOS sandbox implementation into a new shared utils directory.
• Dynamic Permissions and Overrides: The Linux sandbox now supports modeConfig overrides for readonly, network, and approved tools, along with dynamic file system permissions via Bubblewrap (bwrap) arguments.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +5.16 kB (+0.02%)

Total Size: 26.3 MB

Filename	Size	Change
./bundle/chunk-G37HAKQG.js	0 B	-3.64 MB (removed)	🏆
./bundle/chunk-IFPH7QPR.js	0 B	-14.7 MB (removed)	🏆
./bundle/core-FCGFS5E5.js	0 B	-43.6 kB (removed)	🏆
./bundle/devtoolsService-QG3HI6C3.js	0 B	-27.7 kB (removed)	🏆
./bundle/interactiveCli-NGUK7K52.js	0 B	-1.62 MB (removed)	🏆
./bundle/oauth2-provider-IQINTXO6.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-ISGVB4VK.js	14.7 MB	+14.7 MB (new file)	🆕
./bundle/chunk-YLFP7GM2.js	3.64 MB	+3.64 MB (new file)	🆕
./bundle/core-BWRADV6A.js	43.6 kB	+43.6 kB (new file)	🆕
./bundle/devtoolsService-JML35GRL.js	27.7 kB	+27.7 kB (new file)	🆕
./bundle/interactiveCli-N74PV7YF.js	1.62 MB	+1.62 MB (new file)	🆕
./bundle/oauth2-provider-AAGKOXUB.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size
./bundle/chunk-34MYV7JD.js	2.45 kB
./bundle/chunk-5AUYMPVF.js	858 B
./bundle/chunk-664ZODQF.js	124 kB
./bundle/chunk-DAHVX5MI.js	206 kB
./bundle/chunk-IUUIT4SU.js	56.5 kB
./bundle/chunk-RJDXJELZ.js	1.96 MB
./bundle/chunk-RJTRUG2J.js	39.8 kB
./bundle/devtools-36NN55EP.js	696 kB
./bundle/dist-T73EYRDX.js	356 B
./bundle/gemini.js	529 kB
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB
./bundle/memoryDiscovery-5JAQO7MA.js	922 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB
./bundle/src-QVCVGIUX.js	47 kB
./bundle/tree-sitter-7U6MW5PS.js	274 kB
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request refactors sandbox management logic by extracting common utility functions for command parsing and file system operations into new shared files (commandUtils.ts and fsUtils.ts). The Linux sandbox (LinuxSandboxManager) is enhanced to support more granular policy controls, including read-only modes, network access, explicit read/write permissions, and handling of forbidden paths, aligning its capabilities with the macOS sandbox. The sandboxManagerFactory is updated to correctly configure the Linux sandbox with policy information. The review identified a critical security vulnerability where the allowOverrides check in LinuxSandboxManager is incomplete, potentially allowing models to bypass network, allowed paths, and read restrictions in "Plan mode". Additionally, an inconsistency in workspace binding in LinuxSandboxManager was noted, and the path validation logic in fsUtils.ts was found to be brittle and potentially vulnerable to path traversal.