Skip to content

manifest: add proc.exec capability (hardened target)#24

Merged
TeoSlayer merged 1 commit into
mainfrom
add-proc-exec-cap
Jun 22, 2026
Merged

manifest: add proc.exec capability (hardened target)#24
TeoSlayer merged 1 commit into
mainfrom
add-proc-exec-cap

Conversation

@Alexgodoroja

Copy link
Copy Markdown
Collaborator

Adds a new app-store capability proc.exec so an app can declare permission to spawn one local executable — the CLI it fronts. This is the platform half of the app-store CLI adapter archetype: it lets pilotctl appstore call <app> <args> translate into a local subprocess invocation.

What changes

  • pkg/manifest/validate.go: add proc.exec to KnownCaps.
  • Hardened target validation: the grant target must name exactly one binary — an absolute path (/usr/local/bin/tool) or a bare command (gh), [A-Za-z0-9._-] segments only. A * wildcard, a path containing .., spaces, or any shell metacharacter is rejected. A proc.exec grant can never mean "run anything".
  • Grant struct doc updated; CHANGELOG entry.

Model & security

  • Declaration-only, like audit.log: the app execs the child itself, so there is no per-call broker hook — the capability is the install-consented, validated declaration of intent. No interactive consent is added anywhere.
  • Catalogue-only: proc.exec is intentionally not added to the sideload allow-list, so an unreviewed --local app can never carry it. CLI apps ship protection: guarded and install through the reviewed catalogue.
  • OS-level exec sandboxing (sandbox-exec / seccomp execve allow-list) remains the documented next hardening step.

Tests

pkg/manifest tests cover: valid absolute-path + bare-command targets, rejection of wildcard/shell/../newline targets, the empty-target path, and a guard that sideload policy still rejects proc.exec.

🤖 Generated with Claude Code

Add proc.exec to KnownCaps so an app can declare permission to spawn one
local executable — the CLI it fronts. This unblocks the app-store CLI
adapter archetype.

The grant target must name exactly one binary: an absolute path or a bare
command name ([A-Za-z0-9._-] segments). A wildcard, a path with '..',
spaces, or any shell metacharacter is rejected at validation, so a
proc.exec grant can never mean 'run anything'.

Declaration-only, like audit.log: the app execs the child itself, so there
is no per-call broker hook. proc.exec is intentionally NOT in the sideload
allow-list — CLI apps install through the reviewed catalogue (guarded).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@TeoSlayer TeoSlayer merged commit 74e0f28 into main Jun 22, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants