Add -deny flag to deny read access to specific paths#86
Open
youta1119 wants to merge 4 commits intoWarashi:mainfrom
Open
Add -deny flag to deny read access to specific paths#86youta1119 wants to merge 4 commits intoWarashi:mainfrom
youta1119 wants to merge 4 commits intoWarashi:mainfrom
Conversation
Previously, both `subpath` and `literal` rules were emitted for every allowed path. Now we emit only `subpath` for directories and `literal` for files, which avoids redundant rules. Also skip non-existent paths, consistent with the Linux behavior. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Closes Warashi#85 Add a `-deny <path>` flag (repeatable) to deny read access to specific paths. On macOS, uses `deny file-read-data` in the sandbox-exec profile. On Linux, falls back to bubblewrap (bwrap) since Landlock uses an allowlist model and cannot deny reads. The `deny` key is also supported in config presets, with the same `eval-symlinks` option as `allow`. A warning is emitted when a denied path does not exist at sandbox startup. Also refactors AllowPath to PathSpec to better reflect its use for both allow and deny entries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The -deny flag on Linux requires bubblewrap (bwrap). Install it in CI so that the e2e tests can run on Linux. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #85
-deny <path>flag (repeatable) to deny read access to specific pathsdenykey in config presets with the sameeval-symlinksoption asallowAllowPathtoPathSpecto reflect its use for both allow and deny entriesPlatform behavior
macOS: Uses
deny file-read-datain the sandbox-exec profile. The process receives a permission denied error when attempting to read a denied path.Linux: Landlock LSM uses an allowlist model — it can grant access to specific paths but cannot explicitly deny reads. Therefore, when
-denyis specified, cage falls back to bubblewrap (bwrap). Denied directories are hidden with a tmpfs mount; denied files are masked with/dev/null.