Enabling sandboxing for local MCP servers at workspace level. (#295704)

* Enabling MCP sandboxing

* Added debug logs for troubleshooting

* changes for confirmation window during MCP server run

* refactoring changes

* refactoring changes

* code review comments

* code review comments

* code review comments

* code review comments

* fixing tests

* Code review comments

* code review

* Code review comments

Author: dileepyavan

src/vs/platform/mcp/common/mcpPlatformTypes.ts

@@ -12,6 +12,18 @@ export interface IMcpDevModeConfig {
 	debug?: { type: 'node' } | { type: 'debugpy'; debugpyPath?: string };
 }
 
+export interface IMcpSandboxConfiguration {
+	network?: {
+		allowedDomains?: string[];
+		deniedDomains?: string[];
+	};
+	filesystem?: {
+		denyRead?: string[];
+		allowWrite?: string[];
+		denyWrite?: string[];
+	};
+}
+
 export const enum McpServerVariableType {
 	PROMPT = 'promptString',
 	PICK = 'pickString',
@@ -45,6 +57,8 @@ export interface IMcpStdioServerConfiguration extends ICommonMcpServerConfigurat
 	readonly env?: Record<string, string | number | null>;
 	readonly envFile?: string;
 	readonly cwd?: string;
+	readonly sandboxEnabled?: boolean;
+	readonly sandbox?: IMcpSandboxConfiguration;
 	readonly dev?: IMcpDevModeConfig;
 }
 

src/vs/platform/mcp/common/mcpResourceScannerService.ts

@@ -18,11 +18,12 @@ import { InstantiationType, registerSingleton } from '../../instantiation/common
 import { createDecorator } from '../../instantiation/common/instantiation.js';
 import { IUriIdentityService } from '../../uriIdentity/common/uriIdentity.js';
 import { IInstallableMcpServer } from './mcpManagement.js';
-import { ICommonMcpServerConfiguration, IMcpServerConfiguration, IMcpServerVariable, IMcpStdioServerConfiguration, McpServerType } from './mcpPlatformTypes.js';
+import { ICommonMcpServerConfiguration, IMcpSandboxConfiguration, IMcpServerConfiguration, IMcpServerVariable, IMcpStdioServerConfiguration, McpServerType } from './mcpPlatformTypes.js';
 
 interface IScannedMcpServers {
 	servers?: IStringDictionary<Mutable<IMcpServerConfiguration>>;
 	inputs?: IMcpServerVariable[];
+	sandbox?: IMcpSandboxConfiguration;
 }
 
 interface IOldScannedMcpServer {
@@ -77,7 +78,7 @@ export class McpResourceScannerService extends Disposable implements IMcpResourc
 					updatedInputs = [...updatedInputs, ...newInputs];
 				}
 			}
-			return { servers: existingServers, inputs: updatedInputs };
+			return { servers: existingServers, inputs: updatedInputs, sandbox: scannedMcpServers.sandbox };
 		});
 	}
 
@@ -173,33 +174,35 @@ export class McpResourceScannerService extends Disposable implements IMcpResourc
 
 	private fromUserMcpServers(scannedMcpServers: IScannedMcpServers): IScannedMcpServers {
 		const userMcpServers: IScannedMcpServers = {
-			inputs: scannedMcpServers.inputs
+			inputs: scannedMcpServers.inputs,
+			sandbox: scannedMcpServers.sandbox
 		};
 		const servers = Object.entries(scannedMcpServers.servers ?? {});
 		if (servers.length > 0) {
 			userMcpServers.servers = {};
 			for (const [serverName, server] of servers) {
-				userMcpServers.servers[serverName] = this.sanitizeServer(server);
+				userMcpServers.servers[serverName] = this.sanitizeServer(server, scannedMcpServers.sandbox);
 			}
 		}
 		return userMcpServers;
 	}
 
 	private fromWorkspaceFolderMcpServers(scannedWorkspaceFolderMcpServers: IScannedMcpServers): IScannedMcpServers {
 		const scannedMcpServers: IScannedMcpServers = {
-			inputs: scannedWorkspaceFolderMcpServers.inputs
+			inputs: scannedWorkspaceFolderMcpServers.inputs,
+			sandbox: scannedWorkspaceFolderMcpServers.sandbox
 		};
 		const servers = Object.entries(scannedWorkspaceFolderMcpServers.servers ?? {});
 		if (servers.length > 0) {
 			scannedMcpServers.servers = {};
 			for (const [serverName, config] of servers) {
-				scannedMcpServers.servers[serverName] = this.sanitizeServer(config);
+				scannedMcpServers.servers[serverName] = this.sanitizeServer(config, scannedWorkspaceFolderMcpServers.sandbox);
 			}
 		}
 		return scannedMcpServers;
 	}
 
-	private sanitizeServer(serverOrConfig: IOldScannedMcpServer | Mutable<IMcpServerConfiguration>): IMcpServerConfiguration {
+	private sanitizeServer(serverOrConfig: IOldScannedMcpServer | Mutable<IMcpServerConfiguration>, sandbox?: IMcpSandboxConfiguration): IMcpServerConfiguration {
 		let server: IMcpServerConfiguration;
 		if ((<IOldScannedMcpServer>serverOrConfig).config) {
 			const oldScannedMcpServer = <IOldScannedMcpServer>serverOrConfig;
@@ -216,6 +219,10 @@ export class McpResourceScannerService extends Disposable implements IMcpResourc
 			(<Mutable<ICommonMcpServerConfiguration>>server).type = (<IMcpStdioServerConfiguration>server).command ? McpServerType.LOCAL : McpServerType.REMOTE;
 		}
 
+		if (sandbox && server.type === McpServerType.LOCAL && !(server as IMcpStdioServerConfiguration).sandbox && server.sandboxEnabled) {
+			(<Mutable<IMcpStdioServerConfiguration>>server).sandbox = sandbox;
+		}
+
 		return server;
 	}
 

src/vs/workbench/contrib/mcp/browser/mcp.contribution.ts

@@ -30,6 +30,7 @@ import { IMcpDevModeDebugging, McpDevModeDebugging } from '../common/mcpDevMode.
 import { McpLanguageModelToolContribution } from '../common/mcpLanguageModelToolContribution.js';
 import { McpRegistry } from '../common/mcpRegistry.js';
 import { IMcpRegistry } from '../common/mcpRegistryTypes.js';
+import { IMcpSandboxService, McpSandboxService } from '../common/mcpSandboxService.js';
 import { McpResourceFilesystem } from '../common/mcpResourceFilesystem.js';
 import { McpSamplingService } from '../common/mcpSamplingService.js';
 import { McpService } from '../common/mcpService.js';
@@ -50,6 +51,7 @@ import { McpServersViewsContribution } from './mcpServersView.js';
 import { MCPContextsInitialisation, McpWorkbenchService } from './mcpWorkbenchService.js';
 
 registerSingleton(IMcpRegistry, McpRegistry, InstantiationType.Delayed);
+registerSingleton(IMcpSandboxService, McpSandboxService, InstantiationType.Delayed);
 registerSingleton(IMcpService, McpService, InstantiationType.Delayed);
 registerSingleton(IMcpWorkbenchService, McpWorkbenchService, InstantiationType.Eager);
 registerSingleton(IMcpDevModeDebugging, McpDevModeDebugging, InstantiationType.Delayed);

src/vs/workbench/contrib/mcp/common/discovery/installedMcpServersDiscovery.ts

@@ -102,6 +102,8 @@ export class InstalledMcpServersDiscovery extends Disposable implements IMcpDisc
 					id: `${collectionId}.${server.name}`,
 					label: server.name,
 					launch,
+					sandboxEnabled: config.type === 'http' ? undefined : config.sandboxEnabled,
+					sandbox: config.type === 'http' || !config.sandboxEnabled ? undefined : config.sandbox,
 					cacheNonce: await McpServerLaunch.hash(launch),
 					roots: mcpConfigPath?.workspaceFolder ? [mcpConfigPath.workspaceFolder.uri] : undefined,
 					variableReplacement: {

src/vs/workbench/contrib/mcp/common/mcpConfiguration.ts

@@ -136,6 +136,11 @@ export const mcpStdioServerSchema: IJSONSchema = {
 			enum: ['stdio'],
 			description: localize('app.mcp.json.type', "The type of the server.")
 		},
+		sandboxEnabled: {
+			type: 'boolean',
+			default: false,
+			description: localize('app.mcp.json.sandboxEnabled', "Whether to run the server in a sandboxed environment.")
+		},
 		command: {
 			type: 'string',
 			description: localize('app.mcp.json.command', "The command to run the server.")
@@ -179,6 +184,50 @@ export const mcpServerSchema: IJSONSchema = {
 	allowComments: true,
 	additionalProperties: false,
 	properties: {
+		sandbox: {
+			description: localize('app.mcp.json.sandbox', "Default sandbox settings for running servers."),
+			type: 'object',
+			additionalProperties: false,
+			properties: {
+				network: {
+					type: 'object',
+					additionalProperties: false,
+					properties: {
+						allowedDomains: {
+							type: 'array',
+							items: { type: 'string' },
+							default: []
+						},
+						deniedDomains: {
+							type: 'array',
+							items: { type: 'string' },
+							default: []
+						}
+					}
+				},
+				filesystem: {
+					type: 'object',
+					additionalProperties: false,
+					properties: {
+						denyRead: {
+							type: 'array',
+							items: { type: 'string' },
+							default: []
+						},
+						allowWrite: {
+							type: 'array',
+							items: { type: 'string' },
+							default: []
+						},
+						denyWrite: {
+							type: 'array',
+							items: { type: 'string' },
+							default: []
+						}
+					}
+				}
+			}
+		},
 		servers: {
 			examples: [
 				mcpSchemaExampleServers,

src/vs/workbench/contrib/mcp/common/mcpLanguageModelToolContribution.ts

@@ -30,6 +30,7 @@ import { IMcpRegistry } from './mcpRegistryTypes.js';
 import { IMcpServer, IMcpService, IMcpTool, IMcpToolResourceLinkContents, McpResourceURI, McpToolResourceLinkMimeType, McpToolVisibility } from './mcpTypes.js';
 import { mcpServerToSourceData } from './mcpTypesUtils.js';
 import { ILifecycleService } from '../../../services/lifecycle/common/lifecycle.js';
+import { McpServer } from './mcpServer.js';
 
 interface ISyncedToolData {
 	toolData: IToolData;
@@ -205,6 +206,11 @@ class McpToolImplementation implements IToolImpl {
 	async prepareToolInvocation(context: IToolInvocationPreparationContext): Promise<IPreparedToolInvocation> {
 		const tool = this._tool;
 		const server = this._server;
+		// ToDO: need to be revisited as the first tool invocation doesnt have sandbox info and we are optimistically assuming it is not sandboxed. We should ideally have the sandbox info.
+		const sandboxEnabled = await McpServer.callOn(server, async (_handler, connection) => {
+			return connection.definition.sandboxEnabled;
+		});
+		const isSandboxedServer = sandboxEnabled === true;
 
 		const mcpToolWarning = localize(
 			'mcp.tool.warning',
@@ -215,15 +221,18 @@ class McpToolImplementation implements IToolImpl {
 		// duplicative: https://github.com/modelcontextprotocol/modelcontextprotocol/pull/813
 		const title = tool.definition.annotations?.title || tool.definition.title || ('`' + tool.definition.name + '`');
 
-		const confirm: IToolConfirmationMessages = {};
-		if (!tool.definition.annotations?.readOnlyHint) {
-			confirm.title = new MarkdownString(localize('msg.title', "Run {0}", title));
-			confirm.message = new MarkdownString(tool.definition.description, { supportThemeIcons: true });
-			confirm.disclaimer = mcpToolWarning;
-			confirm.allowAutoConfirm = true;
-		}
-		if (tool.definition.annotations?.openWorldHint) {
-			confirm.confirmResults = true;
+		let confirm: IToolConfirmationMessages | undefined;
+		if (!isSandboxedServer) {
+			confirm = {};
+			if (!tool.definition.annotations?.readOnlyHint) {
+				confirm.title = new MarkdownString(localize('msg.title', "Run {0}", title));
+				confirm.message = new MarkdownString(tool.definition.description, { supportThemeIcons: true });
+				confirm.disclaimer = mcpToolWarning;
+				confirm.allowAutoConfirm = true;
+			}
+			if (tool.definition.annotations?.openWorldHint) {
+				confirm.confirmResults = true;
+			}
 		}
 
 		const mcpUiEnabled = this._configurationService.getValue<boolean>(mcpAppsEnabledConfig);

src/vs/workbench/contrib/mcp/common/mcpRegistry.ts

@@ -32,6 +32,7 @@ import { AUX_WINDOW_GROUP, IEditorService } from '../../../services/editor/commo
 import { IMcpDevModeDebugging } from './mcpDevMode.js';
 import { McpRegistryInputStorage } from './mcpRegistryInputStorage.js';
 import { IMcpHostDelegate, IMcpRegistry, IMcpResolveConnectionOptions } from './mcpRegistryTypes.js';
+import { IMcpSandboxService } from './mcpSandboxService.js';
 import { McpServerConnection } from './mcpServerConnection.js';
 import { IMcpServerConnection, LazyCollectionState, McpCollectionDefinition, McpDefinitionReference, McpServerDefinition, McpServerLaunch, McpServerTrust, McpStartServerInteraction, UserInteractionRequiredError } from './mcpTypes.js';
 
@@ -85,6 +86,7 @@ export class McpRegistry extends Disposable implements IMcpRegistry {
 		@IQuickInputService private readonly _quickInputService: IQuickInputService,
 		@ILabelService private readonly _labelService: ILabelService,
 		@ILogService private readonly _logService: ILogService,
+		@IMcpSandboxService private readonly _mcpSandboxService: IMcpSandboxService,
 	) {
 		super();
 		this._mcpAccessValue = observableConfigValue(mcpAccessConfig, McpAccessValue.All, configurationService);
@@ -509,6 +511,8 @@ export class McpRegistry extends Disposable implements IMcpRegistry {
 			if (definition.devMode && debug) {
 				launch = await this._instantiationService.invokeFunction(accessor => accessor.get(IMcpDevModeDebugging).transform(definition, launch!));
 			}
+			// If sandbox is enabled for this server, attempt to launch in sandbox
+			launch = await this._mcpSandboxService.launchInSandboxIfEnabled(definition, launch, collection.remoteAuthority ?? undefined, collection.configTarget);
 		} catch (e) {
 			if (e instanceof UserInteractionRequiredError) {
 				throw e;