diff --git a/src/main.rs b/src/main.rs
index b6fae47..741d6c4 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,5 +1,5 @@
 use std::ffi::{OsStr, OsString};
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::process;
 
 use clap::Parser;
@@ -67,8 +67,16 @@ fn main() {
         mode,
         hardened: args.hardened,
         no_net: args.no_net,
-        extra_rw: args.extra_rw,
-        extra_ro: args.extra_ro,
+        extra_rw: args
+            .extra_rw
+            .iter()
+            .map(|p| canonicalize_or_exit(p))
+            .collect(),
+        extra_ro: args
+            .extra_ro
+            .iter()
+            .map(|p| canonicalize_or_exit(p))
+            .collect(),
         command,
         command_args,
         chdir,
@@ -104,7 +112,7 @@ fn assert_binary_exists(name: &OsStr) -> PathBuf {
 
 fn assert_chdir(explicit: Option<PathBuf>) -> PathBuf {
     if let Some(p) = explicit {
-        return p;
+        return canonicalize_or_exit(&p);
     }
     match std::env::current_dir() {
         Ok(p) => p,
@@ -118,6 +126,13 @@ fn assert_chdir(explicit: Option<PathBuf>) -> PathBuf {
     }
 }
 
+fn canonicalize_or_exit(p: &Path) -> PathBuf {
+    std::fs::canonicalize(p).unwrap_or_else(|e| {
+        eprintln!("error: cannot resolve path '{}': {e}", p.display());
+        process::exit(1);
+    })
+}
+
 fn resolve_binary(name: &OsStr) -> Option<PathBuf> {
     let path = PathBuf::from(name);
     if path.is_absolute() || path.components().count() > 1 {
diff --git a/tests/integration.rs b/tests/integration.rs
index b44dee8..c5e5e04 100644
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -237,6 +237,53 @@ fn blacklist_overlays_survive_tmp_bind() {
     );
 }
 
+#[test]
+fn relative_chdir_works() {
+    let output = sandbox(&["--chdir", "src"])
+        .args(["--", "bash", "-c", "pwd"])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    assert!(
+        output.status.success(),
+        "relative --chdir should work, stderr: {}",
+        String::from_utf8_lossy(&output.stderr)
+    );
+    let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
+    assert!(
+        stdout.ends_with("/src"),
+        "expected cwd ending in /src, got: {stdout}"
+    );
+}
+
+#[test]
+fn relative_rw_path_works() {
+    let output = sandbox(&["--rw", "src"])
+        .args(["--", "bash", "-c", "echo ok"])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    assert!(
+        output.status.success(),
+        "relative --rw should work, stderr: {}",
+        String::from_utf8_lossy(&output.stderr)
+    );
+}
+
+#[test]
+fn relative_ro_path_works() {
+    let output = sandbox(&["--ro", "src"])
+        .args(["--", "bash", "-c", "echo ok"])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    assert!(
+        output.status.success(),
+        "relative --ro should work, stderr: {}",
+        String::from_utf8_lossy(&output.stderr)
+    );
+}
+
 #[test]
 fn rw_missing_path_errors() {
     let output = sandbox(&["--rw", "/nonexistent/xyz"])