feat: add strict seatbelt profiles and remove unusable closed profiles (#18876)

2026-03-19 02:20:42 -07:00 · 2026-02-12 10:33:54 -08:00
parent 2d38623472
commit 2e91c03e08
8 changed files with 193 additions and 48 deletions
--- a/packages/cli/src/utils/sandbox-macos-permissive-closed.sb
+++ b/packages/cli/src/utils/sandbox-macos-permissive-closed.sb
@@ -1,32 +0,0 @@
-(version 1)
-
-;; allow everything by default
-(allow default)
-
-;; deny all writes EXCEPT under specific paths
-(deny file-write*)
-(allow file-write*
-    (subpath (param "TARGET_DIR"))
-    (subpath (param "TMP_DIR"))
-    (subpath (param "CACHE_DIR"))
-    (subpath (string-append (param "HOME_DIR") "/.gemini"))
-    (subpath (string-append (param "HOME_DIR") "/.npm"))
-    (subpath (string-append (param "HOME_DIR") "/.cache"))
-    (subpath (string-append (param "HOME_DIR") "/.gitconfig"))
-    ;; Allow writes to included directories from --include-directories
-    (subpath (param "INCLUDE_DIR_0"))
-    (subpath (param "INCLUDE_DIR_1"))
-    (subpath (param "INCLUDE_DIR_2"))
-    (subpath (param "INCLUDE_DIR_3"))
-    (subpath (param "INCLUDE_DIR_4"))
-    (literal "/dev/stdout")
-    (literal "/dev/stderr")
-    (literal "/dev/null")
-)
-
-;; deny all inbound network traffic EXCEPT on debugger port
-(deny network-inbound)
-(allow network-inbound (local ip "localhost:9229"))
-
-;; deny all outbound network traffic
-(deny network-outbound)
--- a/packages/cli/src/utils/sandbox-macos-restrictive-closed.sb
+++ b/packages/cli/src/utils/sandbox-macos-restrictive-closed.sb
@@ -3,8 +3,43 @@
 ;; deny everything by default
 (deny default)

-;; allow reading files from anywhere on host
-(allow file-read*)
+;; allow reading ONLY from working directory, system paths, and essential user paths
+(allow file-read*
+    (literal "/")
+    (subpath (param "TARGET_DIR"))
+    (subpath (param "TMP_DIR"))
+    (subpath (param "CACHE_DIR"))
+    ;; Only allow reading essential dotfiles/directories under HOME, not the entire HOME
+    (subpath (string-append (param "HOME_DIR") "/.gemini"))
+    (subpath (string-append (param "HOME_DIR") "/.npm"))
+    (subpath (string-append (param "HOME_DIR") "/.cache"))
+    (literal (string-append (param "HOME_DIR") "/.gitconfig"))
+    (subpath (string-append (param "HOME_DIR") "/.nvm"))
+    (subpath (string-append (param "HOME_DIR") "/.fnm"))
+    (subpath (string-append (param "HOME_DIR") "/.node"))
+    (subpath (string-append (param "HOME_DIR") "/.config"))
+    ;; Allow reads from included directories
+    (subpath (param "INCLUDE_DIR_0"))
+    (subpath (param "INCLUDE_DIR_1"))
+    (subpath (param "INCLUDE_DIR_2"))
+    (subpath (param "INCLUDE_DIR_3"))
+    (subpath (param "INCLUDE_DIR_4"))
+    ;; System paths required for Node.js, shell, and common tools
+    (subpath "/usr")
+    (subpath "/bin")
+    (subpath "/sbin")
+    (subpath "/Library")
+    (subpath "/System")
+    (subpath "/private")
+    (subpath "/dev")
+    (subpath "/etc")
+    (subpath "/opt")
+    (subpath "/Applications")
+)
+
+;; allow path traversal everywhere (metadata only: stat/lstat, NOT readdir or file content)
+;; this is needed for Node.js module resolution to traverse intermediate directories
+(allow file-read-metadata)

 ;; allow exec/fork (children inherit policy)
 (allow process-exec)
@@ -70,7 +105,7 @@
    (subpath (string-append (param "HOME_DIR") "/.gemini"))
    (subpath (string-append (param "HOME_DIR") "/.npm"))
    (subpath (string-append (param "HOME_DIR") "/.cache"))
-    (subpath (string-append (param "HOME_DIR") "/.gitconfig"))
+    (literal (string-append (param "HOME_DIR") "/.gitconfig"))
    ;; Allow writes to included directories from --include-directories
    (subpath (param "INCLUDE_DIR_0"))
    (subpath (param "INCLUDE_DIR_1"))
@@ -90,4 +125,7 @@
 (allow file-ioctl (regex #"^/dev/tty.*"))

 ;; allow inbound network traffic on debugger port
-(allow network-inbound (local ip "localhost:9229"))
+(allow network-inbound (local ip "localhost:9229"))
+
+;; allow all outbound network traffic
+(allow network-outbound)
--- a/packages/cli/src/utils/sandbox-macos-strict-proxied.sb
+++ b/packages/cli/src/utils/sandbox-macos-strict-proxied.sb
@@ -0,0 +1,133 @@
+(version 1)
+
+;; deny everything by default
+(deny default)
+
+;; allow reading ONLY from working directory, system paths, and essential user paths
+(allow file-read*
+    (literal "/")
+    (subpath (param "TARGET_DIR"))
+    (subpath (param "TMP_DIR"))
+    (subpath (param "CACHE_DIR"))
+    ;; Only allow reading essential dotfiles/directories under HOME, not the entire HOME
+    (subpath (string-append (param "HOME_DIR") "/.gemini"))
+    (subpath (string-append (param "HOME_DIR") "/.npm"))
+    (subpath (string-append (param "HOME_DIR") "/.cache"))
+    (literal (string-append (param "HOME_DIR") "/.gitconfig"))
+    (subpath (string-append (param "HOME_DIR") "/.nvm"))
+    (subpath (string-append (param "HOME_DIR") "/.fnm"))
+    (subpath (string-append (param "HOME_DIR") "/.node"))
+    (subpath (string-append (param "HOME_DIR") "/.config"))
+    ;; Allow reads from included directories
+    (subpath (param "INCLUDE_DIR_0"))
+    (subpath (param "INCLUDE_DIR_1"))
+    (subpath (param "INCLUDE_DIR_2"))
+    (subpath (param "INCLUDE_DIR_3"))
+    (subpath (param "INCLUDE_DIR_4"))
+    ;; System paths required for Node.js, shell, and common tools
+    (subpath "/usr")
+    (subpath "/bin")
+    (subpath "/sbin")
+    (subpath "/Library")
+    (subpath "/System")
+    (subpath "/private")
+    (subpath "/dev")
+    (subpath "/etc")
+    (subpath "/opt")
+    (subpath "/Applications")
+)
+
+;; allow path traversal everywhere (metadata only: stat/lstat, NOT readdir or file content)
+;; this is needed for Node.js module resolution to traverse intermediate directories
+(allow file-read-metadata)
+
+;; allow exec/fork (children inherit policy)
+(allow process-exec)
+(allow process-fork)
+
+;; allow signals to self, e.g. SIGPIPE on write to closed pipe
+(allow signal (target self))
+
+;; allow read access to specific information about system
+;; from https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/mac/common.sb;l=273-319;drc=7b3962fe2e5fc9e2ee58000dc8fbf3429d84d3bd
+(allow sysctl-read
+  (sysctl-name "hw.activecpu")
+  (sysctl-name "hw.busfrequency_compat")
+  (sysctl-name "hw.byteorder")
+  (sysctl-name "hw.cacheconfig")
+  (sysctl-name "hw.cachelinesize_compat")
+  (sysctl-name "hw.cpufamily")
+  (sysctl-name "hw.cpufrequency_compat")
+  (sysctl-name "hw.cputype")
+  (sysctl-name "hw.l1dcachesize_compat")
+  (sysctl-name "hw.l1icachesize_compat")
+  (sysctl-name "hw.l2cachesize_compat")
+  (sysctl-name "hw.l3cachesize_compat")
+  (sysctl-name "hw.logicalcpu_max")
+  (sysctl-name "hw.machine")
+  (sysctl-name "hw.ncpu")
+  (sysctl-name "hw.nperflevels")
+  (sysctl-name "hw.optional.arm.FEAT_BF16")
+  (sysctl-name "hw.optional.arm.FEAT_DotProd")
+  (sysctl-name "hw.optional.arm.FEAT_FCMA")
+  (sysctl-name "hw.optional.arm.FEAT_FHM")
+  (sysctl-name "hw.optional.arm.FEAT_FP16")
+  (sysctl-name "hw.optional.arm.FEAT_I8MM")
+  (sysctl-name "hw.optional.arm.FEAT_JSCVT")
+  (sysctl-name "hw.optional.arm.FEAT_LSE")
+  (sysctl-name "hw.optional.arm.FEAT_RDM")
+  (sysctl-name "hw.optional.arm.FEAT_SHA512")
+  (sysctl-name "hw.optional.armv8_2_sha512")
+  (sysctl-name "hw.packages")
+  (sysctl-name "hw.pagesize_compat")
+  (sysctl-name "hw.physicalcpu_max")
+  (sysctl-name "hw.tbfrequency_compat")
+  (sysctl-name "hw.vectorunit")
+  (sysctl-name "kern.hostname")
+  (sysctl-name "kern.maxfilesperproc")
+  (sysctl-name "kern.osproductversion")
+  (sysctl-name "kern.osrelease")
+  (sysctl-name "kern.ostype")
+  (sysctl-name "kern.osvariant_status")
+  (sysctl-name "kern.osversion")
+  (sysctl-name "kern.secure_kernel")
+  (sysctl-name "kern.usrstack64")
+  (sysctl-name "kern.version")
+  (sysctl-name "sysctl.proc_cputype")
+  (sysctl-name-prefix "hw.perflevel")
+)
+
+;; allow writes to specific paths
+(allow file-write*
+    (subpath (param "TARGET_DIR"))
+    (subpath (param "TMP_DIR"))
+    (subpath (param "CACHE_DIR"))
+    (subpath (string-append (param "HOME_DIR") "/.gemini"))
+    (subpath (string-append (param "HOME_DIR") "/.npm"))
+    (subpath (string-append (param "HOME_DIR") "/.cache"))
+    (literal (string-append (param "HOME_DIR") "/.gitconfig"))
+    ;; Allow writes to included directories from --include-directories
+    (subpath (param "INCLUDE_DIR_0"))
+    (subpath (param "INCLUDE_DIR_1"))
+    (subpath (param "INCLUDE_DIR_2"))
+    (subpath (param "INCLUDE_DIR_3"))
+    (subpath (param "INCLUDE_DIR_4"))
+    (literal "/dev/stdout")
+    (literal "/dev/stderr")
+    (literal "/dev/null")
+)
+
+;; allow communication with sysmond for process listing (e.g. for pgrep)
+(allow mach-lookup (global-name "com.apple.sysmond"))
+
+;; enable terminal access required by ink
+;; fixes setRawMode EPERM failure (at node:tty:81:24)
+(allow file-ioctl (regex #"^/dev/tty.*"))
+
+;; allow inbound network traffic on debugger port
+(allow network-inbound (local ip "localhost:9229"))
+
+;; allow outbound network traffic through proxy on localhost:8877
+;; set `GEMINI_SANDBOX_PROXY_COMMAND=<command>` to run proxy alongside sandbox
+;; proxy must listen on :::8877 (see docs/examples/proxy-script.md)
+(allow network-outbound (remote tcp "localhost:8877"))
--- a/packages/cli/src/utils/sandboxUtils.ts
+++ b/packages/cli/src/utils/sandboxUtils.ts
@@ -15,11 +15,11 @@ export const SANDBOX_NETWORK_NAME = 'gemini-cli-sandbox';
 export const SANDBOX_PROXY_NAME = 'gemini-cli-sandbox-proxy';
 export const BUILTIN_SEATBELT_PROFILES = [
  'permissive-open',
-  'permissive-closed',
  'permissive-proxied',
  'restrictive-open',
-  'restrictive-closed',
  'restrictive-proxied',
+  'strict-open',
+  'strict-proxied',
 ];

 export function getContainerPath(hostPath: string): string {