Open
Conversation
Adds rules/default/sandbox-disable.yaml with 5 rules covering all
known bypass techniques against the original 2-rule design:
Rule A (CRITICAL/deny): blocks Write/Edit to agent sandbox config files
with content that disables sandbox. Hardened against:
- Edit value-only diff: "enabled":true→false without "sandbox" in diff
(is_sandbox_disable_value_change catches "enabled"+"false" on config files)
- Numeric zero: "enabled":0 — JS falsy, not the string "false"
(is_sandbox_disable_value_zero catches "enabled"+":0"/": 0")
- settings.local.json: same schema as settings.json, not in original path list
- Gemini "none"/"disabled" string values: valid disable values, not boolean false
Rule B (WARNING/ask): requires confirmation for Claude Code per-command
dangerouslyDisableSandbox escape — the only detection layer for this event.
Rule C (CRITICAL/deny): Bash command writing sandbox-disable content to
an agent settings file — covers echo >, tee, python3 open(), etc.
Rule D (CRITICAL/deny): Codex CLI sandbox bypass flags —
--dangerously-bypass-approvals-and-sandbox, --sandbox danger-full-access
Rule E (CRITICAL/deny): GEMINI_SANDBOX env var set to a disabling value —
GEMINI_SANDBOX=none/false/disabled disables Docker isolation without any
file write, invisible to all previous rules.
Includes:
- test_sandbox_rules.sh: 15 tests for core rule behavior
- test_sandbox_bypass.sh: 30 tests proving bypasses are now caught
MiguelHzBz
force-pushed
the
add-sandbox-disable-rules
branch
from
d61124a to
48ae1f5
Compare
…ive bypass test
- Add 6 detection rules (A-F) closing 17 bypass surfaces:
B1: Edit diff missing sandbox key
B2: Numeric zero ('enabled':0)
B3: settings.local.json path variant
B4: Gemini 'none'/'disabled' string values
B5: Null value ('enabled':null)
B6: allowUnsandboxedCommands:1 numeric truthy
B7: Bash echo/tee shell redirection
B8: Python capital-F False
B9: Bash null in command string
B10: Bash enabled:0 (no 'false' keyword)
B11: Bash allowUnsandboxedCommands:1 in command
B12: sed -i targeting settings files
B13: cp pre-crafted file to settings path
B14: mv pre-crafted file to settings path
B15: Codex underscore flag variant
B16: GEMINI_SANDBOX=0
B17: dangerouslyDisableSandbox:false false-positive fix
- Add test_sandbox_bypass.sh covering all 17 sections (~45 test cases)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rules/user/sandbox-disable.yamlwith two rules targeting prompt injection attacks that direct agents to remove their own OS-level sandbox isolation.claude/settings.json,.codex/config.toml, or.gemini/settings.jsonwhen content disables sandbox (sandbox.enabled: false,danger-full-access,toolSandboxing: false,allowUnsandboxedCommands: true)dangerouslyDisableSandbox— this is the only detection layer for this event since it is a tool call parameter invisible to Falco at the syscall levelTest plan
bash tests/test_sandbox_rules.sh— 15 test cases covering deny, ask, and allow paths for all three agents (Claude Code, Codex, Gemini CLI)