Skip to content

add denied paths sandbox policy#542

Draft
matt-dz wants to merge 2 commits into
mainfrom
matt-dz/deny-paths
Draft

add denied paths sandbox policy#542
matt-dz wants to merge 2 commits into
mainfrom
matt-dz/deny-paths

Conversation

@matt-dz

@matt-dz matt-dz commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds an explicit DeniedPaths sandbox policy alongside AllowedPaths.

  • Adds interp.DeniedPaths(...) and CLI --denied-paths
  • Supports PATH, PATH:r, and PATH:w deny specs
  • Pins deny roots by filesystem identity and enforces read/write deny behavior across sandbox operations
  • Adds a Unix deny-aware openat read resolver for symlink-safe reads and a Windows best-effort path using handle identity checks
  • Shows denied paths in help and exposes DENIED_PATHS
  • Adds scenario coverage for read deny, write deny, listings, help output, and symlink bypass attempts

Validation

  • make fmt
  • go test ./...
  • RSHELL_BASH_TEST=1 go test ./tests/ -run TestShellScenariosAgainstBash -timeout 120s
  • GOOS=windows go test -c -o /tmp/rshell-allowedpaths.test.exe ./allowedpaths
  • GOOS=windows go test -c -o /tmp/rshell-interp.test.exe ./interp
  • GOOS=windows go test -c -o /tmp/rshell-cli.test.exe ./cmd/rshell

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Jun 24, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

CI | Test (windows-latest)   View in Datadog   GitHub Actions

Static Analysis Verification | Static Analysis Label Check   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0211974 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant