security: make denyRead directories read-only in Linux sandbox#150
Open
patrick-premont wants to merge 1 commit intoanthropic-experimental:mainfrom
Open
security: make denyRead directories read-only in Linux sandbox#150patrick-premont wants to merge 1 commit intoanthropic-experimental:mainfrom
patrick-premont wants to merge 1 commit intoanthropic-experimental:mainfrom
Conversation
Replace --tmpfs with --ro-bind of an empty directory for denyRead directory paths. --tmpfs hides contents but creates a writable mount, allowing sandboxed processes to write to denied paths. --ro-bind ensures the mount is read-only. Follows the existing pattern from anthropic-experimental#126 for non-existent deny paths. Temp directories are tracked via bwrapMountPoints for cleanup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #149.
Problem
denyReaddirectories on Linux are mounted using--tmpfs, which hides the original contents but creates a writable mount. A sandboxed process can write to directories that should be inaccessible.The writes go to in-memory tmpfs (not the real filesystem), so the original data is safe and writes are lost on sandbox exit. But the process observes writes succeeding where they should fail, violating the expected security contract.
The file-level deny path (
--ro-bind /dev/null) is not affected — only directory-level deny uses--tmpfs.Fix
Replace
--tmpfswith--ro-bindusing an empty temporary directory for directory read deny. This hides directory contents (same as before) while keeping the mount read-only.The fix follows the existing pattern used for non-existent deny paths (#126), which already creates temp directories as
--ro-bindsources and tracks them viabwrapMountPointsfor cleanup.Safety
A single empty temp directory is created via
mkdtempSync(unique, 0700) and reused as the--ro-bindsource for all directory read-deny mounts. It is tracked inbwrapMountPointsfor cleanup bycleanupBwrapMountPoints()after each command and on process exit. This reuses the cleanup infrastructure from #126.Edge case —
denyRead+allowWriteoverlap: If the same path appears in bothdenyReadandallowWrite, the read-only--ro-bindoverlay now takes precedence, making the path read-only. Under the old--tmpfsbehavior, writes went to ephemeral tmpfs (not the real path), soallowWritewas effectively a no-op fordenyReadpaths either way. This overlap is not a practical configuration.Testing
Three new integration tests added:
allowWrite: []allowWritepathTested with bubblewrap 0.9.0 on Ubuntu 24.04 (Docker with
--privileged).