fix(sandbox): pass proxy env vars to seatbelt sandbox process#20788
fix(sandbox): pass proxy env vars to seatbelt sandbox process#20788aishop-lab wants to merge 1 commit intogoogle-gemini:mainfrom
Conversation
The sandboxEnv object with HTTP_PROXY/HTTPS_PROXY env vars is created when GEMINI_SANDBOX_PROXY_COMMAND is set, but was never passed to the sandbox-exec spawn call. This caused sandboxed commands to not see proxy configuration, making the *-proxied seatbelt profiles unusable. Fix: pass env: sandboxEnv to spawn() so proxy env vars reach the sandboxed process. This matches the Docker sandbox path which already passes proxy vars via --env flags. Fixes google-gemini#19187
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a critical issue where proxy environment variables were not being correctly applied to sandboxed processes. By ensuring that the 'sandboxEnv' object is passed during process creation, it resolves a limitation that prevented sandboxed commands from respecting proxy configurations, thereby enabling the proper functioning of proxy-dependent sandbox profiles. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
gemini-cli
bot
added
the
area/platform
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses a bug where proxy environment variables were not being passed to the macOS sandbox-exec process. The change correctly adds the env: sandboxEnv option to the spawn call, ensuring that proxy settings configured via GEMINI_SANDBOX_PROXY_COMMAND are respected. This aligns the behavior of the seatbelt sandbox with the Docker-based sandbox and fixes the functionality for proxied profiles on macOS.
|
I have signed the CLA. Could you please re-check? All commits use the same email (mananp8114@gmail.com) that is linked to my signed CLA. |
aishop-lab
force-pushed
the
fix/sandbox-proxy-env-19187
branch
from
4df540f to
b89e63b
Compare
|
Hey — just wanted to flag that this came up in the context of #20397 (the network proxy PR). The proxy layer sets up Seatbelt still enforces at the kernel level so the sandbox itself isn't broken, but anything inside it that relies on proxy env vars to route traffic just silently does nothing. Small fix but it unblocks the proxy integration path. Happy to address any review feedback! |
|
cc @gsquared94 — this fixes the proxy env vars not reaching seatbelt sandbox processes (issue #19187). Small change but it's a blocker for the proxy integration path in #20397. Would appreciate a look when you get a chance! |
|
Hi there! Thank you for your interest in contributing to Gemini CLI. To ensure we maintain high code quality and focus on our prioritized roadmap, we have updated our contribution policy (see Discussion #17383). We only guarantee review and consideration of pull requests for issues that are explicitly labeled as 'help wanted'. All other community pull requests are subject to closure after 14 days if they do not align with our current focus areas. For this reason, we strongly recommend that contributors only submit pull requests against issues explicitly labeled as 'help-wanted'. This pull request is being closed as it has been open for 14 days without a 'help wanted' designation. We encourage you to find and contribute to existing 'help wanted' issues in our backlog! Thank you for your understanding and for being part of our community! |
2 participants
Summary
Fixes #19187
sandboxEnvobject withHTTP_PROXY/HTTPS_PROXYenv vars is created whenGEMINI_SANDBOX_PROXY_COMMANDis set (line 136-151), but was never passed to thespawn()call for the sandbox-exec process (line 194)*-proxiedseatbelt profiles unusableenv: sandboxEnvto the spawn options, matching how the Docker sandbox path already passes proxy vars via--envflags (lines 399-408)Test plan
GEMINI_SANDBOX_PROXY_COMMANDandSEATBELT_PROFILE=permissive-proxied, verify curl commands inside sandbox respect proxy