Skip to content

refactor(cli): align macOS permissive Seatbelt profiles with deny-default model#28424

Open
ompatel-aiml wants to merge 1 commit into
google-gemini:mainfrom
ompatel-aiml:standup/2026-07-16-fix-macos-sandbox-deny-default
Open

refactor(cli): align macOS permissive Seatbelt profiles with deny-default model#28424
ompatel-aiml wants to merge 1 commit into
google-gemini:mainfrom
ompatel-aiml:standup/2026-07-16-fix-macos-sandbox-deny-default

Conversation

@ompatel-aiml

@ompatel-aiml ompatel-aiml commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Update the macOS Seatbelt profiles permissive-open and permissive-proxied to
use (deny default) with an explicit allow-list, consistent with the existing
restrictive-* and strict-* profiles. This makes the permissive profiles
deny-by-default while preserving normal developer workflows.

Details

  • Both permissive profiles now begin with (deny default) and explicitly allow
    the operations the CLI needs: broad file-read*, process-exec/process-fork,
    signal (target self), the sysctl-read list, the confined file-write*
    allow-list (project/tmp/cache, ~/.gemini|.npm|.cache, --include-directories,
    and the /dev PTY nodes incl. /dev/ptmx and the /dev/ttys regex),
    file-ioctl for /dev/tty*, and the mach service lookups DNS/TLS/directory
    services/PTY/process-listing depend on (sourced from
    packages/core/src/sandbox/macos/baseProfile.ts).
  • Network posture is preserved: local network-bind plus inbound/outbound for
    permissive-open, and proxy-only outbound (localhost:8877) with the debugger
    inbound port for permissive-proxied.
  • Adds packages/cli/src/utils/sandbox-macos-profiles.test.ts, which pins the
    deny-default posture of both profiles so it cannot silently regress.
  • Docs updated (docs/cli/sandbox.md, docs/reference/configuration.md,
    CONTRIBUTING.md).
  • The default profile selector in sandbox.ts is unchanged (permissive-open
    remains the default). No behavioral change for normal developer workflows.

Related Issues

How to Validate

Steps to confirm the change is in place and that normal workflows are unaffected:

  1. Confirm the deny-default posture of both profiles:
    grep -nE "deny default|allow default" \
      packages/cli/src/utils/sandbox-macos-permissive-open.sb \
      packages/cli/src/utils/sandbox-macos-permissive-proxied.sb
    Expected: each file contains (deny default) and no (allow default).
  2. Run the profile unit test (pins the posture):
    npm test -w @google/gemini-cli -- src/utils/sandbox-macos-profiles.test.ts
    Expected: passes.
  3. Load a profile and confirm writes stay confined to the project dir while reads
    still work:
    D=(-D TARGET_DIR="$PWD" -D TMP_DIR="$PWD" -D CACHE_DIR="$PWD" -D HOME_DIR="$HOME" \
       -D INCLUDE_DIR_0="$PWD" -D INCLUDE_DIR_1="$PWD" -D INCLUDE_DIR_2="$PWD" \
       -D INCLUDE_DIR_3="$PWD" -D INCLUDE_DIR_4="$PWD")
    sandbox-exec -f packages/cli/src/utils/sandbox-macos-permissive-open.sb "${D[@]}" \
      /bin/bash -c 'cat /etc/hosts >/dev/null && echo read-ok; \
        touch "$PWD/ok.txt" && echo write-in-project-ok; \
        touch "$HOME/x" 2>/dev/null && echo UNEXPECTED || echo write-outside-project-denied'
    Expected: read-ok, write-in-project-ok, write-outside-project-denied.
  4. Smoke-test a normal sandboxed session and confirm no regressions:
    gemini -s   # then run: npm install, git fetch over https, and a local dev server
    Expected: DNS/TLS, package install, git, and local port binding all work.
  5. Full validation gate: npm run preflight.
  6. Repeat steps 3–5 on Intel and Apple Silicon, for both permissive-open and
    permissive-proxied (SEATBELT_PROFILE=permissive-proxied).

Pre-Merge Checklist

  • Updated relevant documentation and README (if needed)
  • Added/updated tests (if needed)
  • Noted breaking changes (if any)
  • Validated on required platforms/methods:
    • MacOS
      • npm run
      • npx
      • Docker
      • Podman
      • Seatbelt
    • Windows
      • npm run
      • npx
      • Docker
    • Linux
      • npm run
      • npx
      • Docker

@github-actions github-actions Bot added the size/l A large sized PR label Jul 16, 2026
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

📊 PR Size: size/L

  • Lines changed: 334
  • Additions: +312
  • Deletions: -22
  • Files changed: 6

@gemini-cli gemini-cli Bot added the priority/p1 Important and should be addressed in the near term. label Jul 16, 2026
…ault model

Update the permissive-open and permissive-proxied macOS Seatbelt profiles to use (deny default) with an explicit allow-list, consistent with the existing restrictive-* and strict-* profiles. The allow-list re-enables the operations the CLI needs: broad file reads, process exec/fork, the confined file-write allow-list (project/tmp/cache and PTY device nodes), the sysctl/mach service lookups used by DNS/TLS/directory-services/pty/process-listing, and network (outbound for -open, proxy-only for -proxied, plus local bind and the debugger inbound port). Add a unit test that pins the deny-default posture of both profiles, and update the docs. The default profile selector is unchanged and normal developer workflows are unaffected.
@ompatel-aiml ompatel-aiml force-pushed the standup/2026-07-16-fix-macos-sandbox-deny-default branch from f9801e0 to 4283681 Compare July 16, 2026 20:35
@ompatel-aiml ompatel-aiml changed the title Fix macOS Seatbelt sandbox escape: permissive profiles use (allow default) refactor(cli): align macOS permissive Seatbelt profiles with deny-default model Jul 16, 2026
@ompatel-aiml

Copy link
Copy Markdown
Contributor Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the macOS Seatbelt sandboxing profiles (permissive-open and permissive-proxied) to use a secure (deny default) foundation instead of (allow default). It explicitly defines the required allow-lists for file reads, process execution, system information access, Mach service lookups, and network operations. Additionally, documentation is updated to reflect these security improvements, and a new test suite is introduced to assert the invariants of these sandbox profiles. I have no feedback to provide as there are no review comments.

@ompatel-aiml ompatel-aiml marked this pull request as ready for review July 16, 2026 21:02
@ompatel-aiml ompatel-aiml requested review from a team as code owners July 16, 2026 21:02
@ompatel-aiml ompatel-aiml enabled auto-merge July 16, 2026 21:03
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the macOS Seatbelt sandbox profiles to adopt a more secure 'deny-default' approach. By explicitly defining allowed operations instead of defaulting to 'allow', the profiles provide better isolation while ensuring that essential developer tasks, such as file access, process execution, and network communication, remain functional. The changes include comprehensive updates to the sandbox configuration files and the addition of automated tests to ensure the security posture is maintained.

Highlights

  • Security Hardening: Updated macOS Seatbelt profiles 'permissive-open' and 'permissive-proxied' to use a 'deny-default' model with an explicit allow-list, improving security posture while maintaining developer workflows.
  • Regression Testing: Added a new test file 'packages/cli/src/utils/sandbox-macos-profiles.test.ts' to pin the 'deny-default' configuration and prevent future regressions.
  • Documentation Updates: Updated documentation in 'CONTRIBUTING.md', 'docs/cli/sandbox.md', and 'docs/reference/configuration.md' to reflect the new security model for permissive profiles.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the macOS Seatbelt sandbox profiles (permissive-open and permissive-proxied) to use a secure deny default foundation instead of allow default, explicitly defining minimal allow-lists for required operations. It also updates the corresponding documentation and introduces a new test suite to verify these sandbox invariants. I have no feedback to provide as there are no review comments.

@DavidAPierce DavidAPierce left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ompatel-aiml ompatel-aiml added this pull request to the merge queue Jul 16, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 16, 2026
@ompatel-aiml ompatel-aiml added this pull request to the merge queue Jul 16, 2026
@ompatel-aiml ompatel-aiml removed this pull request from the merge queue due to a manual request Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

priority/p1 Important and should be addressed in the near term. size/l A large sized PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants