Setting --hostname sandbox inside the UTS namespace was purely cosmetic
(a label for interactive shells) and provided no isolation beyond what
--unshare-uts already gives. It also caused codex to hang for ~5s on
startup: glibc resolved the unknown "sandbox" name via systemd-resolved
and waited through two DNS retry timeouts before giving up.
Dropping the override lets the sandbox inherit the host's hostname,
which already resolves locally, eliminating the stall.
Flips the default sandbox mode from blacklist to whitelist and
replaces the global RUST_TEST_THREADS=1 with a targeted RwLock
that only serializes blacklist sandboxes against tests mutating
glob-matching host paths. A new Sandbox newtype acquires the
guard automatically when --blacklist is in args.
Without TERM_PROGRAM/TERM_PROGRAM_VERSION, Claude Code and similar TUIs
can't detect the host emulator and lose capability-gated features like
Shift+Enter. Also pass through LS_COLORS, LESS*, MANPAGER, MANPATH, etc.
so interactive UX matches the host.
Prevents sandboxed processes from creating user namespaces to gain fake
root, the standard entry point for kernel privilege-escalation exploits.
Matches Docker and Podman's default seccomp policy.
clone3 remains fully denied (not in the allowlist) so glibc falls back
to clone where this argument filter applies.
Also switches hand-written ioctl constants to libc::{TIOCSTI,TIOCLINUX}.
Whitelist mode now clears the parent env and re-adds a small allowlist
(identity, terminal, locale, proxy, non-GUI XDG, vendor prefixes).
Blacklist mode strips cloud credentials, backup passphrases, dangling
socket pointers, and anything matching *_TOKEN, *_SECRET, *_PASSWORD,
*_PASSPHRASE, *_API_KEY, *_PRIVATE_KEY, *_CLIENT_SECRET; vendor prefix
carve-outs keep ANTHROPIC_API_KEY and friends.
Users can override via --setenv KEY=VALUE and --unsetenv KEY (and the
corresponding TOML keys), or opt out of the built-in policy entirely
with --no-env-filter.
Derived from Podman's default profile, stripped of capability-conditional
rules (we never grant capabilities), argument filters, and the explicit
EPERM block. Dangerous syscalls (mount, unshare, ptrace, bpf,
perf_event_open, io_uring_*, keyctl, kexec_*, ...) fall through to the
default ENOSYS action, which also keeps glibc's clone3 -> clone fallback
working. x86_64 and aarch64 are supported; other archs error out.
Toggle with --seccomp / --no-seccomp or seccomp = <bool> in config.
Pair --hardened, --dry-run, and --unshare-net (renamed from --no-net)
with negation counterparts so a CLI invocation can override a truthy
config-file or profile value.
Canonicalizing rw/ro paths in the config layer resolved symlinks before
the sandbox was built, so a symlinked entry only appeared at its
target's location -- never at the path the user wrote. Stop
canonicalizing rw/ro at the config layer and instead resolve only the
source side of the bind in sandbox.rs.
Whitelist mode's implicit bwrap root was a writable tmpfs, letting the
sandboxed process create files and directories anywhere not covered by
an explicit ro mount. This was not an issue in blacklist mode due to
--ro-bind / / covering that case.
This patch adds --remount-ro / before any other mount to make the base
layer read-only in both modes.
Glob results within a SENSITIVE_PATHS entry could return files before
their parent directory. When that happens the file gets a null-bind
while its siblings remain visible, because the parent hasn't been added
to tmpfs_dirs yet. Sorting dirs first removes this implicit ordering
dependency.
mrtoth