19 KiB
19 KiB
Sandbox Whitelist / Blacklist Matrix (Generated)
Metadata
- Schema version:
1.0.0 - Total operations:
12 - Total rules:
124 - Command allowlist size:
32 - Command denylist size:
15
Permission Lists
Command Allowlist
buncargocatcmakecpdateechoenvfindgitgrepheadlsmakemkdirmvnodenpmnpxpippip3pnpmpwdpythonpython3rustcrustuptailtouchuvwhichyarn
Command Denylist
apt installapt-get installbrew installchmod 777chowndnf installmasscannc -lnetcatnmappacman -Ssnap installsusudoyum install
Rules
| layer | platform | backend | mode | windowsMode | operationId | verdict | reason |
|---|---|---|---|---|---|---|---|
| sandbox | darwin | macos-seatbelt | strict | n/a | fs.write.workspace | allow | workspace path is explicitly writable |
| sandbox | darwin | macos-seatbelt | strict | n/a | fs.write.outside_workspace | block | seatbelt non-permissive mode only allows writablePaths |
| sandbox | darwin | macos-seatbelt | strict | n/a | fs.delete.system_path | block | seatbelt non-permissive mode only allows writablePaths |
| sandbox | darwin | macos-seatbelt | strict | n/a | network.external | conditional | depends on networkEnabled -> (allow network*) |
| sandbox | darwin | macos-seatbelt | strict | n/a | network.loopback | conditional | depends on networkEnabled -> (allow network*) |
| sandbox | darwin | macos-seatbelt | strict | n/a | exec.startup_chain_extra | block | strict mode does not include startupExecAllowlist |
| sandbox | darwin | macos-seatbelt | strict | n/a | command.dangerous.system | conditional | blocked primarily by PermissionManager; sandbox outcome may vary by command path |
| sandbox | darwin | macos-seatbelt | strict | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | darwin | macos-seatbelt | compat | n/a | fs.write.workspace | allow | workspace path is explicitly writable |
| sandbox | darwin | macos-seatbelt | compat | n/a | fs.write.outside_workspace | block | seatbelt non-permissive mode only allows writablePaths |
| sandbox | darwin | macos-seatbelt | compat | n/a | fs.delete.system_path | block | seatbelt non-permissive mode only allows writablePaths |
| sandbox | darwin | macos-seatbelt | compat | n/a | network.external | conditional | depends on networkEnabled -> (allow network*) |
| sandbox | darwin | macos-seatbelt | compat | n/a | network.loopback | conditional | depends on networkEnabled -> (allow network*) |
| sandbox | darwin | macos-seatbelt | compat | n/a | exec.startup_chain_extra | conditional | compat supports startupExecAllowlist but depends on caller input |
| sandbox | darwin | macos-seatbelt | compat | n/a | command.dangerous.system | conditional | blocked primarily by PermissionManager; sandbox outcome may vary by command path |
| sandbox | darwin | macos-seatbelt | compat | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | darwin | macos-seatbelt | permissive | n/a | fs.write.workspace | allow | workspace path is explicitly writable |
| sandbox | darwin | macos-seatbelt | permissive | n/a | fs.write.outside_workspace | allow | permissive mode enables file-write* globally |
| sandbox | darwin | macos-seatbelt | permissive | n/a | fs.delete.system_path | allow | permissive mode enables file-write* globally |
| sandbox | darwin | macos-seatbelt | permissive | n/a | network.external | conditional | depends on networkEnabled -> (allow network*) |
| sandbox | darwin | macos-seatbelt | permissive | n/a | network.loopback | conditional | depends on networkEnabled -> (allow network*) |
| sandbox | darwin | macos-seatbelt | permissive | n/a | exec.startup_chain_extra | allow | permissive mode allows process-exec globally |
| sandbox | darwin | macos-seatbelt | permissive | n/a | command.dangerous.system | conditional | blocked primarily by PermissionManager; sandbox outcome may vary by command path |
| sandbox | darwin | macos-seatbelt | permissive | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | linux | linux-bwrap | strict | n/a | fs.write.workspace | allow | workspace path is bind-mounted writable |
| sandbox | linux | linux-bwrap | strict | n/a | fs.write.outside_workspace | block | strict/compat keep host root read-only outside writablePaths |
| sandbox | linux | linux-bwrap | strict | n/a | fs.delete.system_path | block | strict/compat keep host root read-only outside writablePaths |
| sandbox | linux | linux-bwrap | strict | n/a | network.external | conditional | depends on networkEnabled -> --unshare-net |
| sandbox | linux | linux-bwrap | strict | n/a | network.loopback | conditional | loopback behavior depends on namespace/runtime tooling |
| sandbox | linux | linux-bwrap | strict | n/a | exec.startup_chain_extra | conditional | strict only ro-binds minimal paths + command related dirs |
| sandbox | linux | linux-bwrap | strict | n/a | command.dangerous.system | conditional | blocked by PermissionManager first; sandbox-level outcome varies by command/capability |
| sandbox | linux | linux-bwrap | strict | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | linux | linux-bwrap | compat | n/a | fs.write.workspace | allow | workspace path is bind-mounted writable |
| sandbox | linux | linux-bwrap | compat | n/a | fs.write.outside_workspace | block | strict/compat keep host root read-only outside writablePaths |
| sandbox | linux | linux-bwrap | compat | n/a | fs.delete.system_path | block | strict/compat keep host root read-only outside writablePaths |
| sandbox | linux | linux-bwrap | compat | n/a | network.external | conditional | depends on networkEnabled -> --unshare-net |
| sandbox | linux | linux-bwrap | compat | n/a | network.loopback | conditional | loopback behavior depends on namespace/runtime tooling |
| sandbox | linux | linux-bwrap | compat | n/a | exec.startup_chain_extra | allow | compat/permissive keep full root visibility for exec |
| sandbox | linux | linux-bwrap | compat | n/a | command.dangerous.system | conditional | blocked by PermissionManager first; sandbox-level outcome varies by command/capability |
| sandbox | linux | linux-bwrap | compat | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | linux | linux-bwrap | permissive | n/a | fs.write.workspace | allow | workspace path is bind-mounted writable |
| sandbox | linux | linux-bwrap | permissive | n/a | fs.write.outside_workspace | allow | permissive mode bind-mounts root writable |
| sandbox | linux | linux-bwrap | permissive | n/a | fs.delete.system_path | allow | permissive mode bind-mounts root writable |
| sandbox | linux | linux-bwrap | permissive | n/a | network.external | allow | permissive mode skips network namespace isolation |
| sandbox | linux | linux-bwrap | permissive | n/a | network.loopback | allow | no net namespace isolation in permissive mode |
| sandbox | linux | linux-bwrap | permissive | n/a | exec.startup_chain_extra | allow | compat/permissive keep full root visibility for exec |
| sandbox | linux | linux-bwrap | permissive | n/a | command.dangerous.system | conditional | blocked by PermissionManager first; sandbox-level outcome varies by command/capability |
| sandbox | linux | linux-bwrap | permissive | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | win32 | windows-sandbox | strict | read-only | fs.write.workspace | block | read-only mode blocks workspace write |
| sandbox | win32 | windows-sandbox | strict | read-only | fs.write.outside_workspace | block | read-only mode blocks writes |
| sandbox | win32 | windows-sandbox | strict | read-only | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
| sandbox | win32 | windows-sandbox | strict | read-only | network.external | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
| sandbox | win32 | windows-sandbox | strict | read-only | network.loopback | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
| sandbox | win32 | windows-sandbox | strict | read-only | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
| sandbox | win32 | windows-sandbox | strict | read-only | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
| sandbox | win32 | windows-sandbox | strict | read-only | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | win32 | windows-sandbox | strict | workspace-write | fs.write.workspace | allow | workspace-write allows workspace root writes |
| sandbox | win32 | windows-sandbox | strict | workspace-write | fs.write.outside_workspace | conditional | strict limits writable_roots but helper still allows cwd/temp paths |
| sandbox | win32 | windows-sandbox | strict | workspace-write | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
| sandbox | win32 | windows-sandbox | strict | workspace-write | network.external | conditional | network_access is helper best-effort, not kernel-level isolation |
| sandbox | win32 | windows-sandbox | strict | workspace-write | network.loopback | conditional | network_access is helper best-effort, not kernel-level isolation |
| sandbox | win32 | windows-sandbox | strict | workspace-write | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
| sandbox | win32 | windows-sandbox | strict | workspace-write | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
| sandbox | win32 | windows-sandbox | strict | workspace-write | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | win32 | windows-sandbox | compat | read-only | fs.write.workspace | block | read-only mode blocks workspace write |
| sandbox | win32 | windows-sandbox | compat | read-only | fs.write.outside_workspace | block | read-only mode blocks writes |
| sandbox | win32 | windows-sandbox | compat | read-only | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
| sandbox | win32 | windows-sandbox | compat | read-only | network.external | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
| sandbox | win32 | windows-sandbox | compat | read-only | network.loopback | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
| sandbox | win32 | windows-sandbox | compat | read-only | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
| sandbox | win32 | windows-sandbox | compat | read-only | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
| sandbox | win32 | windows-sandbox | compat | read-only | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | win32 | windows-sandbox | compat | workspace-write | fs.write.workspace | allow | workspace-write allows workspace root writes |
| sandbox | win32 | windows-sandbox | compat | workspace-write | fs.write.outside_workspace | conditional | compat/permissive include wider writable roots and cwd-dependent allowances |
| sandbox | win32 | windows-sandbox | compat | workspace-write | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
| sandbox | win32 | windows-sandbox | compat | workspace-write | network.external | conditional | network_access is helper best-effort, not kernel-level isolation |
| sandbox | win32 | windows-sandbox | compat | workspace-write | network.loopback | conditional | network_access is helper best-effort, not kernel-level isolation |
| sandbox | win32 | windows-sandbox | compat | workspace-write | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
| sandbox | win32 | windows-sandbox | compat | workspace-write | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
| sandbox | win32 | windows-sandbox | compat | workspace-write | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | win32 | windows-sandbox | permissive | read-only | fs.write.workspace | block | read-only mode blocks workspace write |
| sandbox | win32 | windows-sandbox | permissive | read-only | fs.write.outside_workspace | block | read-only mode blocks writes |
| sandbox | win32 | windows-sandbox | permissive | read-only | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
| sandbox | win32 | windows-sandbox | permissive | read-only | network.external | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
| sandbox | win32 | windows-sandbox | permissive | read-only | network.loopback | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
| sandbox | win32 | windows-sandbox | permissive | read-only | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
| sandbox | win32 | windows-sandbox | permissive | read-only | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
| sandbox | win32 | windows-sandbox | permissive | read-only | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | win32 | windows-sandbox | permissive | workspace-write | fs.write.workspace | allow | workspace-write allows workspace root writes |
| sandbox | win32 | windows-sandbox | permissive | workspace-write | fs.write.outside_workspace | conditional | compat/permissive include wider writable roots and cwd-dependent allowances |
| sandbox | win32 | windows-sandbox | permissive | workspace-write | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
| sandbox | win32 | windows-sandbox | permissive | workspace-write | network.external | conditional | network_access is helper best-effort, not kernel-level isolation |
| sandbox | win32 | windows-sandbox | permissive | workspace-write | network.loopback | conditional | network_access is helper best-effort, not kernel-level isolation |
| sandbox | win32 | windows-sandbox | permissive | workspace-write | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
| sandbox | win32 | windows-sandbox | permissive | workspace-write | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
| sandbox | win32 | windows-sandbox | permissive | workspace-write | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
| sandbox | all | docker | strict | n/a | fs.write.workspace | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | strict | n/a | fs.write.outside_workspace | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | strict | n/a | fs.delete.system_path | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | strict | n/a | network.external | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | strict | n/a | network.loopback | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | strict | n/a | exec.startup_chain_extra | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | strict | n/a | command.dangerous.system | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | strict | n/a | fallback.backend_unavailable | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | compat | n/a | fs.write.workspace | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | compat | n/a | fs.write.outside_workspace | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | compat | n/a | fs.delete.system_path | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | compat | n/a | network.external | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | compat | n/a | network.loopback | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | compat | n/a | exec.startup_chain_extra | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | compat | n/a | command.dangerous.system | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | compat | n/a | fallback.backend_unavailable | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | permissive | n/a | fs.write.workspace | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | permissive | n/a | fs.write.outside_workspace | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | permissive | n/a | fs.delete.system_path | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | permissive | n/a | network.external | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | permissive | n/a | network.loopback | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | permissive | n/a | exec.startup_chain_extra | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | permissive | n/a | command.dangerous.system | unsupported | docker process-level sandbox is not implemented |
| sandbox | all | docker | permissive | n/a | fallback.backend_unavailable | unsupported | docker process-level sandbox is not implemented |
| permission | all | permission-manager | n/a | n/a | permission.command.safe | allow | safeCommands includes "node" and is auto-approved for command:execute |
| permission | all | permission-manager | n/a | n/a | permission.command.dangerous | block | dangerous command pattern (e.g. "sudo") is blocked |
| permission | all | permission-manager | n/a | n/a | permission.path.sensitive | block | sensitive paths (.ssh, /etc/passwd, /etc/shadow, /etc/sudoers, /etc/group) are blocked |
| permission | all | permission-manager | n/a | n/a | permission.type.deny | block | denyList permission types are blocked |
Evidence
src/main/services/sandbox/SandboxInvoker.tssrc/main/services/sandbox/policy.tssrc/main/services/sandbox/PermissionManager.ts