fix: require trusted approval for sandbox override (#778)
This commit is contained in:
Kevin Codex
GitHub
@@ -179,9 +179,6 @@ function getSimpleSandboxSection(): string {
|
||||
const networkRestrictionConfig = SandboxManager.getNetworkRestrictionConfig()
|
||||
const allowUnixSockets = SandboxManager.getAllowUnixSockets()
|
||||
const ignoreViolations = SandboxManager.getIgnoreViolations()
|
||||
const allowUnsandboxedCommands =
|
||||
SandboxManager.areUnsandboxedCommandsAllowed()
|
||||
|
||||
// Replace the per-UID temp dir literal (e.g. /private/tmp/claude-1001/) with
|
||||
// "$TMPDIR" so the prompt is identical across users — avoids busting the
|
||||
// cross-user global prompt cache. The sandbox already sets $TMPDIR at runtime.
|
||||
@@ -225,38 +222,9 @@ function getSimpleSandboxSection(): string {
|
||||
)
|
||||
}
|
||||
|
||||
const sandboxOverrideItems: Array<string | string[]> =
|
||||
allowUnsandboxedCommands
|
||||
? [
|
||||
'You should always default to running commands within the sandbox. Do NOT attempt to set `dangerouslyDisableSandbox: true` unless:',
|
||||
[
|
||||
'The user *explicitly* asks you to bypass sandbox',
|
||||
'A specific command just failed and you see evidence of sandbox restrictions causing the failure. Note that commands can fail for many reasons unrelated to the sandbox (missing files, wrong arguments, network issues, etc.).',
|
||||
],
|
||||
'Evidence of sandbox-caused failures includes:',
|
||||
[
|
||||
'"Operation not permitted" errors for file/network operations',
|
||||
'Access denied to specific paths outside allowed directories',
|
||||
'Network connection failures to non-whitelisted hosts',
|
||||
'Unix socket connection errors',
|
||||
],
|
||||
'When you see evidence of sandbox-caused failure:',
|
||||
[
|
||||
"Immediately retry with `dangerouslyDisableSandbox: true` (don't ask, just do it)",
|
||||
'Briefly explain what sandbox restriction likely caused the failure. Be sure to mention that the user can use the `/sandbox` command to manage restrictions.',
|
||||
'This will prompt the user for permission',
|
||||
],
|
||||
'Treat each command you execute with `dangerouslyDisableSandbox: true` individually. Even if you have recently run a command with this setting, you should default to running future commands within the sandbox.',
|
||||
'Do not suggest adding sensitive paths like ~/.bashrc, ~/.zshrc, ~/.ssh/*, or credential files to the sandbox allowlist.',
|
||||
]
|
||||
: [
|
||||
'All commands MUST run in sandbox mode - the `dangerouslyDisableSandbox` parameter is disabled by policy.',
|
||||
'Commands cannot run outside the sandbox under any circumstances.',
|
||||
'If a command fails due to sandbox restrictions, work with the user to adjust sandbox settings instead.',
|
||||
]
|
||||
|
||||
const items: Array<string | string[]> = [
|
||||
...sandboxOverrideItems,
|
||||
'Commands MUST run in sandbox mode. If a command fails due to sandbox restrictions, explain the likely restriction and work with the user to adjust sandbox settings or run an explicit user-initiated shell command.',
|
||||
'Do not suggest adding sensitive paths like ~/.bashrc, ~/.zshrc, ~/.ssh/*, or credential files to the sandbox allowlist.',
|
||||
'For temporary files, always use the `$TMPDIR` environment variable. TMPDIR is automatically set to the correct sandbox-writable directory in sandbox mode. Do NOT use `/tmp` directly - use `$TMPDIR` instead.',
|
||||
]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user