Elyra
Elyra The coding agent e The native code editor Elyra Grove Native local development environment Askr The real server for Laravel & PHP Elyra Conductor Local project conductor Elyra SQL Anywhere Replication-ready SQL engine
Release notes
Changelog
Elyra
Hardening / sandbox (Linux)

Hardening / sandbox (Linux)

--sandbox shrinks the blast radius of a PHP-level exploit. Even if an attacker gets code execution inside PHP, the worker can't spawn a shell or tamper with your code.

askr serve … \
  --sandbox \
  --sandbox-write /var/www/app/storage --sandbox-write /tmp

Two independent layers (Linux only; no effect elsewhere):

seccomp — no new processes

--sandbox installs a seccomp-BPF filter (all threads) that makes execve/execveat/ptrace/process_vm_* return EPERM. So a compromised request can't launch a shellshell_exec/exec/Symfony\Process just fail. It's applied before the PHP/tokio threads are created, so it covers the thread PHP runs on.

If your app legitimately shells out (some packages do), those calls will fail under --sandbox. Test first, or don't enable it for such apps.

Landlock — write only where allowed

Add --sandbox-write <dir> (repeatable) to also restrict the filesystem with Landlock: the worker may read everywhere (so PHP, extensions and templates keep working) but may write only under the listed paths. A path-traversal or upload exploit then can't drop a webshell into the docroot or modify your code — writes outside the allowlist get EACCES.

Typical allowlist for a Laravel app:

--sandbox-write /var/www/app/storage      # logs, cache, sessions, compiled views
--sandbox-write /var/www/app/bootstrap/cache
--sandbox-write /tmp                       # uploads (streamed) + sqlite temp

Landlock degrades gracefully: on kernels without it (or an older ABI) the filter is best-effort and never prevents startup.

Config file

[server]
sandbox = true
sandbox_write = ["/var/www/app/storage", "/var/www/app/bootstrap/cache", "/tmp"]

Verified

In a Linux container: with --sandbox --sandbox-write /tmp, a request that calls shell_exec("id") returns EXEC-BLOCKED, a write to /tmp succeeds, a write into the docroot is DENIED, and normal pages serve unchanged.

Notes

  • Sidecars (queue/scheduler) are not sandboxed — queue jobs may legitimately shell out; only the internet-facing web workers are hardened.
  • Combine with the non-root systemd unit + capabilities in UBUNTU.md for defence in depth.