201 lines
19 KiB
Markdown
201 lines
19 KiB
Markdown
# Sandbox Whitelist / Blacklist Matrix (Generated)
|
|
|
|
## Metadata
|
|
|
|
- Schema version: `1.0.0`
|
|
- Total operations: `12`
|
|
- Total rules: `124`
|
|
- Command allowlist size: `32`
|
|
- Command denylist size: `15`
|
|
|
|
## Permission Lists
|
|
|
|
### Command Allowlist
|
|
|
|
- `bun`
|
|
- `cargo`
|
|
- `cat`
|
|
- `cmake`
|
|
- `cp`
|
|
- `date`
|
|
- `echo`
|
|
- `env`
|
|
- `find`
|
|
- `git`
|
|
- `grep`
|
|
- `head`
|
|
- `ls`
|
|
- `make`
|
|
- `mkdir`
|
|
- `mv`
|
|
- `node`
|
|
- `npm`
|
|
- `npx`
|
|
- `pip`
|
|
- `pip3`
|
|
- `pnpm`
|
|
- `pwd`
|
|
- `python`
|
|
- `python3`
|
|
- `rustc`
|
|
- `rustup`
|
|
- `tail`
|
|
- `touch`
|
|
- `uv`
|
|
- `which`
|
|
- `yarn`
|
|
|
|
### Command Denylist
|
|
|
|
- `apt install`
|
|
- `apt-get install`
|
|
- `brew install`
|
|
- `chmod 777`
|
|
- `chown`
|
|
- `dnf install`
|
|
- `masscan`
|
|
- `nc -l`
|
|
- `netcat`
|
|
- `nmap`
|
|
- `pacman -S`
|
|
- `snap install`
|
|
- `su`
|
|
- `sudo`
|
|
- `yum install`
|
|
|
|
## Rules
|
|
|
|
| layer | platform | backend | mode | windowsMode | operationId | verdict | reason |
|
|
| --- | --- | --- | --- | --- | --- | --- | --- |
|
|
| sandbox | darwin | macos-seatbelt | strict | n/a | fs.write.workspace | allow | workspace path is explicitly writable |
|
|
| sandbox | darwin | macos-seatbelt | strict | n/a | fs.write.outside_workspace | block | seatbelt non-permissive mode only allows writablePaths |
|
|
| sandbox | darwin | macos-seatbelt | strict | n/a | fs.delete.system_path | block | seatbelt non-permissive mode only allows writablePaths |
|
|
| sandbox | darwin | macos-seatbelt | strict | n/a | network.external | conditional | depends on networkEnabled -> (allow network*) |
|
|
| sandbox | darwin | macos-seatbelt | strict | n/a | network.loopback | conditional | depends on networkEnabled -> (allow network*) |
|
|
| sandbox | darwin | macos-seatbelt | strict | n/a | exec.startup_chain_extra | block | strict mode does not include startupExecAllowlist |
|
|
| sandbox | darwin | macos-seatbelt | strict | n/a | command.dangerous.system | conditional | blocked primarily by PermissionManager; sandbox outcome may vary by command path |
|
|
| sandbox | darwin | macos-seatbelt | strict | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | darwin | macos-seatbelt | compat | n/a | fs.write.workspace | allow | workspace path is explicitly writable |
|
|
| sandbox | darwin | macos-seatbelt | compat | n/a | fs.write.outside_workspace | block | seatbelt non-permissive mode only allows writablePaths |
|
|
| sandbox | darwin | macos-seatbelt | compat | n/a | fs.delete.system_path | block | seatbelt non-permissive mode only allows writablePaths |
|
|
| sandbox | darwin | macos-seatbelt | compat | n/a | network.external | conditional | depends on networkEnabled -> (allow network*) |
|
|
| sandbox | darwin | macos-seatbelt | compat | n/a | network.loopback | conditional | depends on networkEnabled -> (allow network*) |
|
|
| sandbox | darwin | macos-seatbelt | compat | n/a | exec.startup_chain_extra | conditional | compat supports startupExecAllowlist but depends on caller input |
|
|
| sandbox | darwin | macos-seatbelt | compat | n/a | command.dangerous.system | conditional | blocked primarily by PermissionManager; sandbox outcome may vary by command path |
|
|
| sandbox | darwin | macos-seatbelt | compat | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | darwin | macos-seatbelt | permissive | n/a | fs.write.workspace | allow | workspace path is explicitly writable |
|
|
| sandbox | darwin | macos-seatbelt | permissive | n/a | fs.write.outside_workspace | allow | permissive mode enables file-write* globally |
|
|
| sandbox | darwin | macos-seatbelt | permissive | n/a | fs.delete.system_path | allow | permissive mode enables file-write* globally |
|
|
| sandbox | darwin | macos-seatbelt | permissive | n/a | network.external | conditional | depends on networkEnabled -> (allow network*) |
|
|
| sandbox | darwin | macos-seatbelt | permissive | n/a | network.loopback | conditional | depends on networkEnabled -> (allow network*) |
|
|
| sandbox | darwin | macos-seatbelt | permissive | n/a | exec.startup_chain_extra | allow | permissive mode allows process-exec globally |
|
|
| sandbox | darwin | macos-seatbelt | permissive | n/a | command.dangerous.system | conditional | blocked primarily by PermissionManager; sandbox outcome may vary by command path |
|
|
| sandbox | darwin | macos-seatbelt | permissive | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | linux | linux-bwrap | strict | n/a | fs.write.workspace | allow | workspace path is bind-mounted writable |
|
|
| sandbox | linux | linux-bwrap | strict | n/a | fs.write.outside_workspace | block | strict/compat keep host root read-only outside writablePaths |
|
|
| sandbox | linux | linux-bwrap | strict | n/a | fs.delete.system_path | block | strict/compat keep host root read-only outside writablePaths |
|
|
| sandbox | linux | linux-bwrap | strict | n/a | network.external | conditional | depends on networkEnabled -> --unshare-net |
|
|
| sandbox | linux | linux-bwrap | strict | n/a | network.loopback | conditional | loopback behavior depends on namespace/runtime tooling |
|
|
| sandbox | linux | linux-bwrap | strict | n/a | exec.startup_chain_extra | conditional | strict only ro-binds minimal paths + command related dirs |
|
|
| sandbox | linux | linux-bwrap | strict | n/a | command.dangerous.system | conditional | blocked by PermissionManager first; sandbox-level outcome varies by command/capability |
|
|
| sandbox | linux | linux-bwrap | strict | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | linux | linux-bwrap | compat | n/a | fs.write.workspace | allow | workspace path is bind-mounted writable |
|
|
| sandbox | linux | linux-bwrap | compat | n/a | fs.write.outside_workspace | block | strict/compat keep host root read-only outside writablePaths |
|
|
| sandbox | linux | linux-bwrap | compat | n/a | fs.delete.system_path | block | strict/compat keep host root read-only outside writablePaths |
|
|
| sandbox | linux | linux-bwrap | compat | n/a | network.external | conditional | depends on networkEnabled -> --unshare-net |
|
|
| sandbox | linux | linux-bwrap | compat | n/a | network.loopback | conditional | loopback behavior depends on namespace/runtime tooling |
|
|
| sandbox | linux | linux-bwrap | compat | n/a | exec.startup_chain_extra | allow | compat/permissive keep full root visibility for exec |
|
|
| sandbox | linux | linux-bwrap | compat | n/a | command.dangerous.system | conditional | blocked by PermissionManager first; sandbox-level outcome varies by command/capability |
|
|
| sandbox | linux | linux-bwrap | compat | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | linux | linux-bwrap | permissive | n/a | fs.write.workspace | allow | workspace path is bind-mounted writable |
|
|
| sandbox | linux | linux-bwrap | permissive | n/a | fs.write.outside_workspace | allow | permissive mode bind-mounts root writable |
|
|
| sandbox | linux | linux-bwrap | permissive | n/a | fs.delete.system_path | allow | permissive mode bind-mounts root writable |
|
|
| sandbox | linux | linux-bwrap | permissive | n/a | network.external | allow | permissive mode skips network namespace isolation |
|
|
| sandbox | linux | linux-bwrap | permissive | n/a | network.loopback | allow | no net namespace isolation in permissive mode |
|
|
| sandbox | linux | linux-bwrap | permissive | n/a | exec.startup_chain_extra | allow | compat/permissive keep full root visibility for exec |
|
|
| sandbox | linux | linux-bwrap | permissive | n/a | command.dangerous.system | conditional | blocked by PermissionManager first; sandbox-level outcome varies by command/capability |
|
|
| sandbox | linux | linux-bwrap | permissive | n/a | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | win32 | windows-sandbox | strict | read-only | fs.write.workspace | block | read-only mode blocks workspace write |
|
|
| sandbox | win32 | windows-sandbox | strict | read-only | fs.write.outside_workspace | block | read-only mode blocks writes |
|
|
| sandbox | win32 | windows-sandbox | strict | read-only | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
|
|
| sandbox | win32 | windows-sandbox | strict | read-only | network.external | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
|
|
| sandbox | win32 | windows-sandbox | strict | read-only | network.loopback | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
|
|
| sandbox | win32 | windows-sandbox | strict | read-only | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
|
|
| sandbox | win32 | windows-sandbox | strict | read-only | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
|
|
| sandbox | win32 | windows-sandbox | strict | read-only | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | win32 | windows-sandbox | strict | workspace-write | fs.write.workspace | allow | workspace-write allows workspace root writes |
|
|
| sandbox | win32 | windows-sandbox | strict | workspace-write | fs.write.outside_workspace | conditional | strict limits writable_roots but helper still allows cwd/temp paths |
|
|
| sandbox | win32 | windows-sandbox | strict | workspace-write | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
|
|
| sandbox | win32 | windows-sandbox | strict | workspace-write | network.external | conditional | network_access is helper best-effort, not kernel-level isolation |
|
|
| sandbox | win32 | windows-sandbox | strict | workspace-write | network.loopback | conditional | network_access is helper best-effort, not kernel-level isolation |
|
|
| sandbox | win32 | windows-sandbox | strict | workspace-write | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
|
|
| sandbox | win32 | windows-sandbox | strict | workspace-write | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
|
|
| sandbox | win32 | windows-sandbox | strict | workspace-write | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | win32 | windows-sandbox | compat | read-only | fs.write.workspace | block | read-only mode blocks workspace write |
|
|
| sandbox | win32 | windows-sandbox | compat | read-only | fs.write.outside_workspace | block | read-only mode blocks writes |
|
|
| sandbox | win32 | windows-sandbox | compat | read-only | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
|
|
| sandbox | win32 | windows-sandbox | compat | read-only | network.external | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
|
|
| sandbox | win32 | windows-sandbox | compat | read-only | network.loopback | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
|
|
| sandbox | win32 | windows-sandbox | compat | read-only | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
|
|
| sandbox | win32 | windows-sandbox | compat | read-only | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
|
|
| sandbox | win32 | windows-sandbox | compat | read-only | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | win32 | windows-sandbox | compat | workspace-write | fs.write.workspace | allow | workspace-write allows workspace root writes |
|
|
| sandbox | win32 | windows-sandbox | compat | workspace-write | fs.write.outside_workspace | conditional | compat/permissive include wider writable roots and cwd-dependent allowances |
|
|
| sandbox | win32 | windows-sandbox | compat | workspace-write | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
|
|
| sandbox | win32 | windows-sandbox | compat | workspace-write | network.external | conditional | network_access is helper best-effort, not kernel-level isolation |
|
|
| sandbox | win32 | windows-sandbox | compat | workspace-write | network.loopback | conditional | network_access is helper best-effort, not kernel-level isolation |
|
|
| sandbox | win32 | windows-sandbox | compat | workspace-write | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
|
|
| sandbox | win32 | windows-sandbox | compat | workspace-write | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
|
|
| sandbox | win32 | windows-sandbox | compat | workspace-write | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | win32 | windows-sandbox | permissive | read-only | fs.write.workspace | block | read-only mode blocks workspace write |
|
|
| sandbox | win32 | windows-sandbox | permissive | read-only | fs.write.outside_workspace | block | read-only mode blocks writes |
|
|
| sandbox | win32 | windows-sandbox | permissive | read-only | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
|
|
| sandbox | win32 | windows-sandbox | permissive | read-only | network.external | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
|
|
| sandbox | win32 | windows-sandbox | permissive | read-only | network.loopback | conditional | read-only policy enforces no full network but relies on helper best-effort controls |
|
|
| sandbox | win32 | windows-sandbox | permissive | read-only | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
|
|
| sandbox | win32 | windows-sandbox | permissive | read-only | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
|
|
| sandbox | win32 | windows-sandbox | permissive | read-only | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | win32 | windows-sandbox | permissive | workspace-write | fs.write.workspace | allow | workspace-write allows workspace root writes |
|
|
| sandbox | win32 | windows-sandbox | permissive | workspace-write | fs.write.outside_workspace | conditional | compat/permissive include wider writable roots and cwd-dependent allowances |
|
|
| sandbox | win32 | windows-sandbox | permissive | workspace-write | fs.delete.system_path | conditional | depends on helper ACL application and writable root boundary |
|
|
| sandbox | win32 | windows-sandbox | permissive | workspace-write | network.external | conditional | network_access is helper best-effort, not kernel-level isolation |
|
|
| sandbox | win32 | windows-sandbox | permissive | workspace-write | network.loopback | conditional | network_access is helper best-effort, not kernel-level isolation |
|
|
| sandbox | win32 | windows-sandbox | permissive | workspace-write | exec.startup_chain_extra | allow | helper executes command chain; restriction is policy/ACL not exec allowlist |
|
|
| sandbox | win32 | windows-sandbox | permissive | workspace-write | command.dangerous.system | conditional | blocked mainly by PermissionManager and ACL boundaries |
|
|
| sandbox | win32 | windows-sandbox | permissive | workspace-write | fallback.backend_unavailable | conditional | manual fails closed; startup-only/session degrade to none |
|
|
| sandbox | all | docker | strict | n/a | fs.write.workspace | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | strict | n/a | fs.write.outside_workspace | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | strict | n/a | fs.delete.system_path | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | strict | n/a | network.external | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | strict | n/a | network.loopback | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | strict | n/a | exec.startup_chain_extra | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | strict | n/a | command.dangerous.system | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | strict | n/a | fallback.backend_unavailable | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | compat | n/a | fs.write.workspace | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | compat | n/a | fs.write.outside_workspace | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | compat | n/a | fs.delete.system_path | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | compat | n/a | network.external | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | compat | n/a | network.loopback | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | compat | n/a | exec.startup_chain_extra | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | compat | n/a | command.dangerous.system | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | compat | n/a | fallback.backend_unavailable | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | permissive | n/a | fs.write.workspace | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | permissive | n/a | fs.write.outside_workspace | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | permissive | n/a | fs.delete.system_path | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | permissive | n/a | network.external | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | permissive | n/a | network.loopback | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | permissive | n/a | exec.startup_chain_extra | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | permissive | n/a | command.dangerous.system | unsupported | docker process-level sandbox is not implemented |
|
|
| sandbox | all | docker | permissive | n/a | fallback.backend_unavailable | unsupported | docker process-level sandbox is not implemented |
|
|
| permission | all | permission-manager | n/a | n/a | permission.command.safe | allow | safeCommands includes "node" and is auto-approved for command:execute |
|
|
| permission | all | permission-manager | n/a | n/a | permission.command.dangerous | block | dangerous command pattern (e.g. "sudo") is blocked |
|
|
| permission | all | permission-manager | n/a | n/a | permission.path.sensitive | block | sensitive paths (.ssh, /etc/passwd, /etc/shadow, /etc/sudoers, /etc/group) are blocked |
|
|
| permission | all | permission-manager | n/a | n/a | permission.type.deny | block | denyList permission types are blocked |
|
|
|
|
## Evidence
|
|
|
|
- `src/main/services/sandbox/SandboxInvoker.ts`
|
|
- `src/main/services/sandbox/policy.ts`
|
|
- `src/main/services/sandbox/PermissionManager.ts`
|
|
|