Add /sys to whitelist mode

src/sandbox.rs

@@ -116,6 +116,8 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
         cmd.args(["--ro-bind-try", path, path]);
     }
 
+    cmd.args(["--ro-bind-try", "/sys", "/sys"]);
+
     let local_bin = format!("{home}/.local/bin");
     cmd.arg("--ro-bind-try").arg(&local_bin).arg(&local_bin);
 

tests/integration.rs

@@ -325,6 +325,20 @@ fn empty_home_rejected() {
     );
 }
 
+#[test]
+fn whitelist_sys_is_readable() {
+    let output = sandbox(&["--whitelist"])
+        .args(["--", "bash", "-c", "cat /sys/class/net/lo/address"])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
+    assert_eq!(
+        stdout, "00:00:00:00:00:00",
+        "expected loopback address from /sys, got: {stdout}"
+    );
+}
+
 #[test]
 fn new_session_isolates_sid() {
     let inner_sid = read_sid_inside_sandbox(&[]);