packages/core/src/sandbox/linux/LinuxSandboxManager.ts

/**
 * @license
 * Copyright 2026 Google LLC
 * SPDX-License-Identifier: Apache-2.0
 */

import fs from 'node:fs';
import { join, dirname } from 'node:path';
import os from 'node:os';
import {
  type SandboxManager,
  type GlobalSandboxOptions,
  type SandboxRequest,
  type SandboxedCommand,
  type SandboxPermissions,
  GOVERNANCE_FILES,
  type ParsedSandboxDenial,
  resolveSandboxPaths,
} from '../../services/sandboxManager.js';
import type { ShellExecutionResult } from '../../services/shellExecutionService.js';
import {
  sanitizeEnvironment,
  getSecureSanitizationConfig,
} from '../../services/environmentSanitization.js';
import {
  isStrictlyApproved,
  verifySandboxOverrides,
  getCommandName,
} from '../utils/commandUtils.js';
import { assertValidPathString } from '../../utils/paths.js';
import {
  isKnownSafeCommand,
  isDangerousCommand,
} from '../utils/commandSafety.js';
import {
  parsePosixSandboxDenials,
  createSandboxDenialCache,
  type SandboxDenialCache,
} from '../utils/sandboxDenialUtils.js';
import { handleReadWriteCommands } from '../utils/sandboxReadWriteUtils.js';
import { buildBwrapArgs } from './bwrapArgsBuilder.js';

let cachedBpfPath: string | undefined;

function getSeccompBpfPath(): string {
  if (cachedBpfPath) return cachedBpfPath;

  const arch = os.arch();
  let AUDIT_ARCH: number;
  let SYS_ptrace: number;

  if (arch === 'x64') {
    AUDIT_ARCH = 0xc000003e; // AUDIT_ARCH_X86_64
    SYS_ptrace = 101;
  } else if (arch === 'arm64') {
    AUDIT_ARCH = 0xc00000b7; // AUDIT_ARCH_AARCH64
    SYS_ptrace = 117;
  } else if (arch === 'arm') {
    AUDIT_ARCH = 0x40000028; // AUDIT_ARCH_ARM
    SYS_ptrace = 26;
  } else if (arch === 'ia32') {
    AUDIT_ARCH = 0x40000003; // AUDIT_ARCH_I386
    SYS_ptrace = 26;
  } else {
    throw new Error(`Unsupported architecture for seccomp filter: ${arch}`);
  }

  const EPERM = 1;
  const SECCOMP_RET_KILL_PROCESS = 0x80000000;
  const SECCOMP_RET_ERRNO = 0x00050000;
  const SECCOMP_RET_ALLOW = 0x7fff0000;

  const instructions = [
    { code: 0x20, jt: 0, jf: 0, k: 4 }, // Load arch
    { code: 0x15, jt: 1, jf: 0, k: AUDIT_ARCH }, // Jump to kill if arch != native arch
    { code: 0x06, jt: 0, jf: 0, k: SECCOMP_RET_KILL_PROCESS }, // Kill

    { code: 0x20, jt: 0, jf: 0, k: 0 }, // Load nr
    { code: 0x15, jt: 0, jf: 1, k: SYS_ptrace }, // If ptrace, jump to ERRNO
    { code: 0x06, jt: 0, jf: 0, k: SECCOMP_RET_ERRNO | EPERM }, // ERRNO

    { code: 0x06, jt: 0, jf: 0, k: SECCOMP_RET_ALLOW }, // Allow
  ];

  const buf = Buffer.alloc(8 * instructions.length);
  for (let i = 0; i < instructions.length; i++) {
    const inst = instructions[i];
    const offset = i * 8;
    buf.writeUInt16LE(inst.code, offset);
    buf.writeUInt8(inst.jt, offset + 2);
    buf.writeUInt8(inst.jf, offset + 3);
    buf.writeUInt32LE(inst.k, offset + 4);
  }

  const tempDir = fs.mkdtempSync(join(os.tmpdir(), 'gemini-cli-seccomp-'));
  const bpfPath = join(tempDir, 'seccomp.bpf');
  fs.writeFileSync(bpfPath, buf);
  cachedBpfPath = bpfPath;

  // Cleanup on exit
  process.on('exit', () => {
    try {
      fs.rmSync(tempDir, { recursive: true, force: true });
    } catch {
      // Ignore errors
    }
  });

  return bpfPath;
}

/**
 * Ensures a file or directory exists.
 */
function touch(filePath: string, isDirectory: boolean) {
  assertValidPathString(filePath);
  try {
    // If it exists (even as a broken symlink), do nothing
    if (fs.lstatSync(filePath)) return;
  } catch {
    // Ignore ENOENT
  }

  if (isDirectory) {
    fs.mkdirSync(filePath, { recursive: true });
  } else {
    fs.mkdirSync(dirname(filePath), { recursive: true });
    fs.closeSync(fs.openSync(filePath, 'a'));
  }
}

/**
 * A SandboxManager implementation for Linux that uses Bubblewrap (bwrap).
 */

export class LinuxSandboxManager implements SandboxManager {
  private static maskFilePath: string | undefined;
  private readonly denialCache: SandboxDenialCache = createSandboxDenialCache();

  constructor(private readonly options: GlobalSandboxOptions) {}

  isKnownSafeCommand(args: string[]): boolean {
    return isKnownSafeCommand(args);
  }

  isDangerousCommand(args: string[]): boolean {
    return isDangerousCommand(args);
  }

  parseDenials(result: ShellExecutionResult): ParsedSandboxDenial | undefined {
    return parsePosixSandboxDenials(result, this.denialCache);
  }

  getWorkspace(): string {
    return this.options.workspace;
  }

  getOptions(): GlobalSandboxOptions {
    return this.options;
  }

  private getMaskFilePath(): string {
    if (
      LinuxSandboxManager.maskFilePath &&
      fs.existsSync(LinuxSandboxManager.maskFilePath)
    ) {
      return LinuxSandboxManager.maskFilePath;
    }
    const tempDir = fs.mkdtempSync(join(os.tmpdir(), 'gemini-cli-mask-file-'));
    const maskPath = join(tempDir, 'mask');
    fs.writeFileSync(maskPath, '');
    fs.chmodSync(maskPath, 0);
    LinuxSandboxManager.maskFilePath = maskPath;

    // Cleanup on exit
    process.on('exit', () => {
      try {
        fs.rmSync(tempDir, { recursive: true, force: true });
      } catch {
        // Ignore errors
      }
    });

    return maskPath;
  }

  async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {
    const isReadonlyMode = this.options.modeConfig?.readonly ?? true;
    const allowOverrides = this.options.modeConfig?.allowOverrides ?? true;

    verifySandboxOverrides(allowOverrides, req.policy);

    let command = req.command;
    let args = req.args;

    // Translate virtual commands for sandboxed file system access
    if (command === '__read') {
      command = 'cat';
    } else if (command === '__write') {
      command = 'sh';
      args = ['-c', 'cat > "$1"', '_', ...args];
    }

    const commandName = await getCommandName({ ...req, command, args });
    const isApproved = allowOverrides
      ? await isStrictlyApproved(
          { ...req, command, args },
          this.options.modeConfig?.approvedTools,
        )
      : false;
    const isYolo = this.options.modeConfig?.yolo ?? false;
    const workspaceWrite = !isReadonlyMode || isApproved || isYolo;

    const networkAccess =
      this.options.modeConfig?.network || req.policy?.networkAccess || isYolo;

    const persistentPermissions = allowOverrides
      ? this.options.policyManager?.getCommandPermissions(commandName)
      : undefined;

    const mergedAdditional: SandboxPermissions = {
      fileSystem: {
        read: [
          ...(persistentPermissions?.fileSystem?.read ?? []),
          ...(req.policy?.additionalPermissions?.fileSystem?.read ?? []),
        ],
        write: [
          ...(persistentPermissions?.fileSystem?.write ?? []),
          ...(req.policy?.additionalPermissions?.fileSystem?.write ?? []),
        ],
      },
      network:
        networkAccess ||
        persistentPermissions?.network ||
        req.policy?.additionalPermissions?.network ||
        false,
    };

    const { command: finalCommand, args: finalArgs } = handleReadWriteCommands(
      req,
      mergedAdditional,
      this.options.workspace,
      [
        ...(req.policy?.allowedPaths || []),
        ...(this.options.includeDirectories || []),
      ],
    );

    const sanitizationConfig = getSecureSanitizationConfig(
      req.policy?.sanitizationConfig,
    );

    const sanitizedEnv = sanitizeEnvironment(req.env, sanitizationConfig);

    const resolvedPaths = await resolveSandboxPaths(
      this.options,
      req,
      mergedAdditional,
    );

    for (const file of GOVERNANCE_FILES) {
      const filePath = join(this.options.workspace, file.path);
      touch(filePath, file.isDirectory);
    }

    const bwrapArgs = await buildBwrapArgs({
      resolvedPaths,
      workspaceWrite,
      networkAccess: mergedAdditional.network ?? false,
      maskFilePath: this.getMaskFilePath(),
      isWriteCommand: req.command === '__write',
    });

    const bpfPath = getSeccompBpfPath();
    bwrapArgs.push('--seccomp', '9');

    const argsPath = this.writeArgsToTempFile(bwrapArgs);

    const shArgs = [
      '-c',
      'bpf_path="$1"; args_path="$2"; shift 2; exec bwrap --args 8 "$@" 8< "$args_path" 9< "$bpf_path"',
      '_',
      bpfPath,
      argsPath,
      '--',
      finalCommand,
      ...finalArgs,
    ];

    return {
      program: 'sh',
      args: shArgs,
      env: sanitizedEnv,
      cwd: req.cwd,
      cleanup: () => {
        try {
          fs.unlinkSync(argsPath);
        } catch {
          // Ignore cleanup errors
        }
      },
    };
  }

  private writeArgsToTempFile(args: string[]): string {
    const tempFile = join(
      os.tmpdir(),
      `gemini-cli-bwrap-args-${Date.now()}-${Math.random().toString(36).slice(2)}.args`,
    );
    const content = Buffer.from(args.join('\0') + '\0');
    fs.writeFileSync(tempFile, content, { mode: 0o600 });
    return tempFile;
  }
}
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`/**`
			`* @license`
			`* Copyright 2026 Google LLC`
			`* SPDX-License-Identifier: Apache-2.0`
			`*/`

Implementation of sandbox "Write-Protected" Governance Files (#23139 ) 2026-03-24 04:04:17 +00:00			`import fs from 'node:fs';`
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`import { join, dirname } from 'node:path';`
Linux sandbox seccomp (#22815 ) 2026-03-17 20:29:13 +00:00			`import os from 'node:os';`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`import {`
			`type SandboxManager,`
feat(core): refactor SandboxManager to a stateless architecture and introduce explicit Deny interface (#23141 ) 2026-03-23 11:43:58 -04:00			`type GlobalSandboxOptions,`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`type SandboxRequest,`
			`type SandboxedCommand,`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`type SandboxPermissions,`
Implementation of sandbox "Write-Protected" Governance Files (#23139 ) 2026-03-24 04:04:17 +00:00			`GOVERNANCE_FILES,`
refactor(core): delegate sandbox denial parsing to SandboxManager (#23928 ) 2026-03-26 15:10:15 -07:00			`type ParsedSandboxDenial,`
feat(core): populate sandbox forbidden paths with project ignore file contents (#24038 ) 2026-04-01 12:27:55 -04:00			`resolveSandboxPaths,`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`} from '../../services/sandboxManager.js';`
refactor(core): delegate sandbox denial parsing to SandboxManager (#23928 ) 2026-03-26 15:10:15 -07:00			`import type { ShellExecutionResult } from '../../services/shellExecutionService.js';`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`import {`
			`sanitizeEnvironment,`
			`getSecureSanitizationConfig,`
			`} from '../../services/environmentSanitization.js';`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`import {`
			`isStrictlyApproved,`
			`verifySandboxOverrides,`
			`getCommandName,`
			`} from '../utils/commandUtils.js';`
Improve sandbox error matching and caching (#24550 ) 2026-04-07 21:08:18 +00:00			`import { assertValidPathString } from '../../utils/paths.js';`
feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00			`import {`
			`isKnownSafeCommand,`
			`isDangerousCommand,`
			`} from '../utils/commandSafety.js';`
Improve sandbox error matching and caching (#24550 ) 2026-04-07 21:08:18 +00:00			`import {`
			`parsePosixSandboxDenials,`
			`createSandboxDenialCache,`
			`type SandboxDenialCache,`
			`} from '../utils/sandboxDenialUtils.js';`
fix(core): implement __read and __write commands in sandbox managers (#24283 ) 2026-03-31 12:39:51 -07:00			`import { handleReadWriteCommands } from '../utils/sandboxReadWriteUtils.js';`
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`import { buildBwrapArgs } from './bwrapArgsBuilder.js';`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00
Linux sandbox seccomp (#22815 ) 2026-03-17 20:29:13 +00:00			`let cachedBpfPath: string \| undefined;`

			`function getSeccompBpfPath(): string {`
			`if (cachedBpfPath) return cachedBpfPath;`

			`const arch = os.arch();`
			`let AUDIT_ARCH: number;`
			`let SYS_ptrace: number;`

			`if (arch === 'x64') {`
			`AUDIT_ARCH = 0xc000003e; // AUDIT_ARCH_X86_64`
			`SYS_ptrace = 101;`
			`} else if (arch === 'arm64') {`
			`AUDIT_ARCH = 0xc00000b7; // AUDIT_ARCH_AARCH64`
			`SYS_ptrace = 117;`
			`} else if (arch === 'arm') {`
			`AUDIT_ARCH = 0x40000028; // AUDIT_ARCH_ARM`
			`SYS_ptrace = 26;`
			`} else if (arch === 'ia32') {`
			`AUDIT_ARCH = 0x40000003; // AUDIT_ARCH_I386`
			`SYS_ptrace = 26;`
			`} else {`
			throw new Error(`Unsupported architecture for seccomp filter: ${arch}`);
			`}`

			`const EPERM = 1;`
			`const SECCOMP_RET_KILL_PROCESS = 0x80000000;`
			`const SECCOMP_RET_ERRNO = 0x00050000;`
			`const SECCOMP_RET_ALLOW = 0x7fff0000;`

			`const instructions = [`
			`{ code: 0x20, jt: 0, jf: 0, k: 4 }, // Load arch`
			`{ code: 0x15, jt: 1, jf: 0, k: AUDIT_ARCH }, // Jump to kill if arch != native arch`
			`{ code: 0x06, jt: 0, jf: 0, k: SECCOMP_RET_KILL_PROCESS }, // Kill`

			`{ code: 0x20, jt: 0, jf: 0, k: 0 }, // Load nr`
			`{ code: 0x15, jt: 0, jf: 1, k: SYS_ptrace }, // If ptrace, jump to ERRNO`
			`{ code: 0x06, jt: 0, jf: 0, k: SECCOMP_RET_ERRNO \| EPERM }, // ERRNO`

			`{ code: 0x06, jt: 0, jf: 0, k: SECCOMP_RET_ALLOW }, // Allow`
			`];`

			`const buf = Buffer.alloc(8 * instructions.length);`
			`for (let i = 0; i < instructions.length; i++) {`
			`const inst = instructions[i];`
			`const offset = i * 8;`
			`buf.writeUInt16LE(inst.code, offset);`
			`buf.writeUInt8(inst.jt, offset + 2);`
			`buf.writeUInt8(inst.jf, offset + 3);`
			`buf.writeUInt32LE(inst.k, offset + 4);`
			`}`

feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00			`const tempDir = fs.mkdtempSync(join(os.tmpdir(), 'gemini-cli-seccomp-'));`
			`const bpfPath = join(tempDir, 'seccomp.bpf');`
Implementation of sandbox "Write-Protected" Governance Files (#23139 ) 2026-03-24 04:04:17 +00:00			`fs.writeFileSync(bpfPath, buf);`
Linux sandbox seccomp (#22815 ) 2026-03-17 20:29:13 +00:00			`cachedBpfPath = bpfPath;`
feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00
			`// Cleanup on exit`
			`process.on('exit', () => {`
			`try {`
			`fs.rmSync(tempDir, { recursive: true, force: true });`
			`} catch {`
			`// Ignore errors`
			`}`
			`});`

Linux sandbox seccomp (#22815 ) 2026-03-17 20:29:13 +00:00			`return bpfPath;`
			`}`

Implementation of sandbox "Write-Protected" Governance Files (#23139 ) 2026-03-24 04:04:17 +00:00			`/**`
			`* Ensures a file or directory exists.`
			`*/`
			`function touch(filePath: string, isDirectory: boolean) {`
Improve sandbox error matching and caching (#24550 ) 2026-04-07 21:08:18 +00:00			`assertValidPathString(filePath);`
Implementation of sandbox "Write-Protected" Governance Files (#23139 ) 2026-03-24 04:04:17 +00:00			`try {`
			`// If it exists (even as a broken symlink), do nothing`
			`if (fs.lstatSync(filePath)) return;`
			`} catch {`
			`// Ignore ENOENT`
			`}`

			`if (isDirectory) {`
			`fs.mkdirSync(filePath, { recursive: true });`
			`} else {`
			`fs.mkdirSync(dirname(filePath), { recursive: true });`
			`fs.closeSync(fs.openSync(filePath, 'a'));`
			`}`
			`}`

Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`/**`
			`* A SandboxManager implementation for Linux that uses Bubblewrap (bwrap).`
			`*/`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`export class LinuxSandboxManager implements SandboxManager {`
feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00			`private static maskFilePath: string \| undefined;`
Improve sandbox error matching and caching (#24550 ) 2026-04-07 21:08:18 +00:00			`private readonly denialCache: SandboxDenialCache = createSandboxDenialCache();`
feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00
feat(core): add forbiddenPaths to GlobalSandboxOptions and refactor createSandboxManager (#23936 ) 2026-03-27 12:57:26 -04:00			`constructor(private readonly options: GlobalSandboxOptions) {}`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00
feat(core): implement Windows sandbox dynamic expansion Phase 1 and 2.1 (#23691 ) 2026-03-25 17:54:45 +00:00			`isKnownSafeCommand(args: string[]): boolean {`
			`return isKnownSafeCommand(args);`
			`}`

			`isDangerousCommand(args: string[]): boolean {`
			`return isDangerousCommand(args);`
			`}`

refactor(core): delegate sandbox denial parsing to SandboxManager (#23928 ) 2026-03-26 15:10:15 -07:00			`parseDenials(result: ShellExecutionResult): ParsedSandboxDenial \| undefined {`
Improve sandbox error matching and caching (#24550 ) 2026-04-07 21:08:18 +00:00			`return parsePosixSandboxDenials(result, this.denialCache);`
refactor(core): delegate sandbox denial parsing to SandboxManager (#23928 ) 2026-03-26 15:10:15 -07:00			`}`

fix(core): enhance sandbox usability and fix build error (#24460 ) 2026-04-01 16:51:06 -07:00			`getWorkspace(): string {`
			`return this.options.workspace;`
			`}`

fix(core): ensure global temp directory is always in sandbox allowed paths (#24638 ) 2026-04-03 17:23:27 -07:00			`getOptions(): GlobalSandboxOptions {`
			`return this.options;`
			`}`

feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00			`private getMaskFilePath(): string {`
			`if (`
			`LinuxSandboxManager.maskFilePath &&`
			`fs.existsSync(LinuxSandboxManager.maskFilePath)`
			`) {`
			`return LinuxSandboxManager.maskFilePath;`
			`}`
			`const tempDir = fs.mkdtempSync(join(os.tmpdir(), 'gemini-cli-mask-file-'));`
			`const maskPath = join(tempDir, 'mask');`
			`fs.writeFileSync(maskPath, '');`
			`fs.chmodSync(maskPath, 0);`
			`LinuxSandboxManager.maskFilePath = maskPath;`

			`// Cleanup on exit`
			`process.on('exit', () => {`
			`try {`
			`fs.rmSync(tempDir, { recursive: true, force: true });`
			`} catch {`
			`// Ignore errors`
			`}`
			`});`

			`return maskPath;`
			`}`

Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`const isReadonlyMode = this.options.modeConfig?.readonly ?? true;`
			`const allowOverrides = this.options.modeConfig?.allowOverrides ?? true;`

			`verifySandboxOverrides(allowOverrides, req.policy);`

fix(core): resolve Plan Mode deadlock during plan file creation due to sandbox restrictions (#24047 ) 2026-03-31 22:06:50 +00:00			`let command = req.command;`
			`let args = req.args;`

			`// Translate virtual commands for sandboxed file system access`
			`if (command === '__read') {`
			`command = 'cat';`
			`} else if (command === '__write') {`
			`command = 'sh';`
			`args = ['-c', 'cat > "$1"', '_', ...args];`
			`}`

			`const commandName = await getCommandName({ ...req, command, args });`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`const isApproved = allowOverrides`
fix(core): resolve Plan Mode deadlock during plan file creation due to sandbox restrictions (#24047 ) 2026-03-31 22:06:50 +00:00			`? await isStrictlyApproved(`
			`{ ...req, command, args },`
			`this.options.modeConfig?.approvedTools,`
			`)`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`: false;`
fix(core): enhance sandbox usability and fix build error (#24460 ) 2026-04-01 16:51:06 -07:00			`const isYolo = this.options.modeConfig?.yolo ?? false;`
			`const workspaceWrite = !isReadonlyMode \|\| isApproved \|\| isYolo;`

feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`const networkAccess =`
fix(core): enhance sandbox usability and fix build error (#24460 ) 2026-04-01 16:51:06 -07:00			`this.options.modeConfig?.network \|\| req.policy?.networkAccess \|\| isYolo;`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00
			`const persistentPermissions = allowOverrides`
			`? this.options.policyManager?.getCommandPermissions(commandName)`
			`: undefined;`

			`const mergedAdditional: SandboxPermissions = {`
			`fileSystem: {`
			`read: [`
			`...(persistentPermissions?.fileSystem?.read ?? []),`
			`...(req.policy?.additionalPermissions?.fileSystem?.read ?? []),`
			`],`
			`write: [`
			`...(persistentPermissions?.fileSystem?.write ?? []),`
			`...(req.policy?.additionalPermissions?.fileSystem?.write ?? []),`
			`],`
			`},`
			`network:`
			`networkAccess \|\|`
			`persistentPermissions?.network \|\|`
			`req.policy?.additionalPermissions?.network \|\|`
			`false,`
			`};`

fix(core): implement __read and __write commands in sandbox managers (#24283 ) 2026-03-31 12:39:51 -07:00			`const { command: finalCommand, args: finalArgs } = handleReadWriteCommands(`
			`req,`
			`mergedAdditional,`
			`this.options.workspace,`
refactor(core): use centralized path resolution for Linux sandbox (#24985 ) 2026-04-09 08:28:58 -07:00			`[`
			`...(req.policy?.allowedPaths \|\| []),`
			`...(this.options.includeDirectories \|\| []),`
			`],`
fix(core): implement __read and __write commands in sandbox managers (#24283 ) 2026-03-31 12:39:51 -07:00			`);`

Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`const sanitizationConfig = getSecureSanitizationConfig(`
feat(core): refactor SandboxManager to a stateless architecture and introduce explicit Deny interface (#23141 ) 2026-03-23 11:43:58 -04:00			`req.policy?.sanitizationConfig,`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`);`

			`const sanitizedEnv = sanitizeEnvironment(req.env, sanitizationConfig);`

fix(core): resolve windows symlink bypass and stabilize sandbox integration tests (#24834 ) 2026-04-08 15:00:50 -07:00			`const resolvedPaths = await resolveSandboxPaths(`
			`this.options,`
			`req,`
			`mergedAdditional,`
			`);`
fix(core): resolve Plan Mode deadlock during plan file creation due to sandbox restrictions (#24047 ) 2026-03-31 22:06:50 +00:00
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`for (const file of GOVERNANCE_FILES) {`
			`const filePath = join(this.options.workspace, file.path);`
			`touch(filePath, file.isDirectory);`
			`}`
feat(sandbox): implement forbiddenPaths for OS-specific sandbox managers (#23282 ) 2026-03-24 21:23:51 -04:00
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`const bwrapArgs = await buildBwrapArgs({`
refactor(core): use centralized path resolution for Linux sandbox (#24985 ) 2026-04-09 08:28:58 -07:00			`resolvedPaths,`
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`workspaceWrite,`
refactor(core): use centralized path resolution for Linux sandbox (#24985 ) 2026-04-09 08:28:58 -07:00			`networkAccess: mergedAdditional.network ?? false,`
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`maskFilePath: this.getMaskFilePath(),`
			`isWriteCommand: req.command === '__write',`
			`});`
feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`const bpfPath = getSeccompBpfPath();`
			`bwrapArgs.push('--seccomp', '9');`
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00
			`const argsPath = this.writeArgsToTempFile(bwrapArgs);`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00
			`const shArgs = [`
			`'-c',`
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`'bpf_path="$1"; args_path="$2"; shift 2; exec bwrap --args 8 "$@" 8< "$args_path" 9< "$bpf_path"',`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`'_',`
			`bpfPath,`
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`argsPath,`
			`'--',`
			`finalCommand,`
			`...finalArgs,`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`];`

			`return {`
			`program: 'sh',`
			`args: shArgs,`
			`env: sanitizedEnv,`
			`cwd: req.cwd,`
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`cleanup: () => {`
			`try {`
			`fs.unlinkSync(argsPath);`
			`} catch {`
			`// Ignore cleanup errors`
			`}`
			`},`
feat(sandbox): dynamic Linux sandbox expansion and worktree support (#23692 ) 2026-03-25 18:58:45 -07:00			`};`
feat(sandbox): implement forbiddenPaths for OS-specific sandbox managers (#23282 ) 2026-03-24 21:23:51 -04:00			`}`
feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00
fix(core): refactor linux sandbox to fix ARG_MAX crashes (#24286 ) 2026-04-01 16:17:10 -04:00			`private writeArgsToTempFile(args: string[]): string {`
			`const tempFile = join(`
			`os.tmpdir(),`
			`gemini-cli-bwrap-args-${Date.now()}-${Math.random().toString(36).slice(2)}.args`,
			`);`
			`const content = Buffer.from(args.join('\0') + '\0');`
			`fs.writeFileSync(tempFile, content, { mode: 0o600 });`
			`return tempFile;`
feat(sandbox): implement secret visibility lockdown for env files (#23712 ) 2026-03-26 20:35:21 +00:00			`}`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`}`