fix: sandbox permissions

Author: ilopezluna

pkg/inference/backends/runner.go

@@ -42,6 +42,10 @@ type RunnerConfig struct {
 	// ErrorTransformer is an optional function to transform error output
 	// into a more user-friendly message. If nil, the raw output is used.
 	ErrorTransformer ErrorTransformer
+	// Env is an optional list of extra environment variables for the backend
+	// process, each in "KEY=VALUE" form. These are appended to the current
+	// process environment. If nil, the backend inherits the parent env as-is.
+	Env []string
 }
 
 // Logger interface for backend logging
@@ -88,6 +92,9 @@ func RunBackend(ctx context.Context, config RunnerConfig) error {
 			}
 			command.Stdout = config.ServerLogWriter
 			command.Stderr = out
+			if len(config.Env) > 0 {
+				command.Env = append(os.Environ(), config.Env...)
+			}
 		},
 		config.SandboxPath,
 		config.BinaryPath,

pkg/inference/backends/vllm/vllm_metal.go

@@ -222,6 +222,7 @@ func (v *vllmMetal) Run(ctx context.Context, socket, model string, modelRef stri
 		Args:            args,
 		Logger:          v.log,
 		ServerLogWriter: logging.NewWriter(v.serverLog),
+		Env:             []string{"VLLM_HOST_IP=127.0.0.1"},
 	})
 }
 

pkg/sandbox/sandbox_darwin.go

@@ -29,10 +29,10 @@ const ConfigurationPython = `(version 1)
 ;;; Also allow Unix domain socket binding in the system temp directory
 ;;; (/private/var/folders) which vllm-metal uses for internal ZMQ IPC sockets.
 (deny network*)
-(allow network-bind network-inbound
+(allow network-bind network-inbound network-outbound
     (regex #"inference.*-[0-9]+\.sock$")
     (local tcp "localhost:*"))
-(allow network-bind
+(allow network-bind network-inbound network-outbound
     (regex #"^/private/var/folders/"))
 
 ;;; Deny access to the camera and microphone.
@@ -76,12 +76,16 @@ const ConfigurationPython = `(version 1)
 (allow file-write*
     (literal "/dev/null")
     (subpath "/private/var")
+    (subpath "/private/tmp")
     (subpath "[HOMEDIR]/Library/Containers/com.docker.docker/Data")
-    (subpath "[WORKDIR]"))
+    (subpath "[WORKDIR]")
+    (subpath "[HOMEDIR]/.cache/vllm"))
 (allow file-read*
     (subpath "[HOMEDIR]/.docker/models")
     (subpath "[HOMEDIR]/Library/Containers/com.docker.docker/Data")
-    (subpath "[WORKDIR]"))
+    (subpath "[WORKDIR]")
+    (subpath "[HOMEDIR]/.cache/vllm")
+    (subpath "/private/tmp"))
 `
 
 // ConfigurationLlamaCpp is the sandbox configuration for llama.cpp processes.