83bd4305c7
Bind symlinked rw/ro paths at the user-written destination
...
Canonicalizing rw/ro paths in the config layer resolved symlinks before
the sandbox was built, so a symlinked entry only appeared at its
target's location -- never at the path the user wrote. Stop
canonicalizing rw/ro at the config layer and instead resolve only the
source side of the bind in sandbox.rs.
2026-04-07 17:45:38 +02:00
f0711f2894
Ship an example config file
2026-04-07 15:10:10 +02:00
cab0eb74d7
Error out if no entrypoint or command is passed (drop claude default)
2026-04-04 10:19:58 +02:00
062ddab5f8
Add entrypoint option
2026-04-04 10:16:57 +02:00
8ecba5d6dc
Add option to pass through arguments to brwap, use shlex for dry-run
2026-04-04 08:51:08 +02:00
8958f79ece
Document and expand test coverage of config file feature
2026-04-04 08:51:08 +02:00
db60fb9ddb
Reject unknown config keys
2026-04-01 23:51:47 +02:00
c7c4c673cb
Add mask option to hide paths/files from sandbox
2026-04-01 23:19:08 +02:00
0119834d5a
Implement config file parsing and precedence with CLI
2026-03-31 01:22:08 +02:00
f1d7a14b8d
Ensure root filesystem is always read-only inside sandbox
...
Whitelist mode's implicit bwrap root was a writable tmpfs, letting the
sandboxed process create files and directories anywhere not covered by
an explicit ro mount. This was not an issue in blacklist mode due to
--ro-bind / / covering that case.
This patch adds --remount-ro / before any other mount to make the base
layer read-only in both modes.
2026-03-29 16:50:59 +02:00
389e38a800
Add CLAUDE.md and AGENTS.md with build rules and pitfalls
2026-03-25 23:59:37 +01:00
99f9395c10
Move require_run_user to lib.rs and make blacklist module private
2026-03-25 23:54:35 +01:00
5fc7eb3c11
Consolidate whitelist mode setup into add_whitelist_mode
2026-03-25 23:43:48 +01:00
960b034a80
Run integration tests serially to avoid /tmp race conditions
2026-03-25 23:43:26 +01:00
b200be9490
Add README with security model documentation
2026-03-25 23:13:16 +01:00
d79563d948
Add integration test for /dev/input/ being hidden in blacklist mode
2026-03-25 23:02:24 +01:00
167439c156
Add fish/nushell history and /tmp leaks to SENSITIVE_PATHS
2026-03-25 23:00:52 +01:00
6349709024
Add container, WM, package manager, and database sockets to SENSITIVE_PATHS
2026-03-25 22:58:12 +01:00
d3f8986b77
Sort dirs before files in resolve_overlays
...
Glob results within a SENSITIVE_PATHS entry could return files before
their parent directory. When that happens the file gets a null-bind
while its siblings remain visible, because the parent hasn't been added
to tmpfs_dirs yet. Sorting dirs first removes this implicit ordering
dependency.
2026-03-25 22:54:56 +01:00
82f84247f1
Rework handling of /run and ${RUNUSER} in blacklist mode
2026-03-25 22:48:39 +01:00
0bd91ffad2
Add /sys to whitelist mode
2026-03-25 22:22:35 +01:00
dccf2309a5
Add --new-session to bwrap invocation
2026-03-25 22:15:21 +01:00
9f82ca21ee
Add /dev/input/ to SENSITIVE_PATHS for blacklist mode
2026-03-25 22:00:32 +01:00
ada9da7ae7
Reject empty HOME envvar
2026-03-20 21:43:08 +01:00
4112288a30
Ensure passing relative paths to CLI works
2026-03-20 21:36:55 +01:00
94535b20d3
Fix blacklist bind mount order
2026-03-20 21:02:48 +01:00
826c6d5531
Add ~/.claude.json to agent paths and use --bind-try
2026-03-20 20:41:24 +01:00
50dafb4c37
Fix read-only /dev, /proc, /tmp, /var/tmp, /run in blacklist mode
2026-03-20 20:40:57 +01:00
c8e0d4813a
Use --ro-bind-try for system files in whitelist mode
2026-03-20 19:29:53 +01:00
b4b94856ac
Skip run_user overlay when runtime dir is unknown
2026-03-20 19:29:43 +01:00
9da043a70e
Remove redundant /etc/ssh/* glob entry
2026-03-20 19:29:38 +01:00
ba885b7dd6
Ensure test file is cleaned up in cwd_is_writable test case
2026-03-20 18:52:03 +01:00
bf53d92d49
Initial commit
2026-03-20 18:40:08 +01:00
