refactor(cli): align macOS permissive Seatbelt profiles with deny-default model#28424
Conversation
|
📊 PR Size: size/L
|
…ault model Update the permissive-open and permissive-proxied macOS Seatbelt profiles to use (deny default) with an explicit allow-list, consistent with the existing restrictive-* and strict-* profiles. The allow-list re-enables the operations the CLI needs: broad file reads, process exec/fork, the confined file-write allow-list (project/tmp/cache and PTY device nodes), the sysctl/mach service lookups used by DNS/TLS/directory-services/pty/process-listing, and network (outbound for -open, proxy-only for -proxied, plus local bind and the debugger inbound port). Add a unit test that pins the deny-default posture of both profiles, and update the docs. The default profile selector is unchanged and normal developer workflows are unaffected.
f9801e0 to
4283681
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request refactors the macOS Seatbelt sandboxing profiles (permissive-open and permissive-proxied) to use a secure (deny default) foundation instead of (allow default). It explicitly defines the required allow-lists for file reads, process execution, system information access, Mach service lookups, and network operations. Additionally, documentation is updated to reflect these security improvements, and a new test suite is introduced to assert the invariants of these sandbox profiles. I have no feedback to provide as there are no review comments.
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request refactors the macOS Seatbelt sandbox profiles to adopt a more secure 'deny-default' approach. By explicitly defining allowed operations instead of defaulting to 'allow', the profiles provide better isolation while ensuring that essential developer tasks, such as file access, process execution, and network communication, remain functional. The changes include comprehensive updates to the sandbox configuration files and the addition of automated tests to ensure the security posture is maintained. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request refactors the macOS Seatbelt sandbox profiles (permissive-open and permissive-proxied) to use a secure deny default foundation instead of allow default, explicitly defining minimal allow-lists for required operations. It also updates the corresponding documentation and introduces a new test suite to verify these sandbox invariants. I have no feedback to provide as there are no review comments.
Summary
Update the macOS Seatbelt profiles
permissive-openandpermissive-proxiedtouse
(deny default)with an explicit allow-list, consistent with the existingrestrictive-*andstrict-*profiles. This makes the permissive profilesdeny-by-default while preserving normal developer workflows.
Details
(deny default)and explicitly allowthe operations the CLI needs: broad
file-read*,process-exec/process-fork,signal (target self), thesysctl-readlist, the confinedfile-write*allow-list (project/tmp/cache,
~/.gemini|.npm|.cache,--include-directories,and the
/devPTY nodes incl./dev/ptmxand the/dev/ttysregex),file-ioctlfor/dev/tty*, and the mach service lookups DNS/TLS/directoryservices/PTY/process-listing depend on (sourced from
packages/core/src/sandbox/macos/baseProfile.ts).network-bindplus inbound/outbound forpermissive-open, and proxy-only outbound (localhost:8877) with the debuggerinbound port for
permissive-proxied.packages/cli/src/utils/sandbox-macos-profiles.test.ts, which pins thedeny-default posture of both profiles so it cannot silently regress.
docs/cli/sandbox.md,docs/reference/configuration.md,CONTRIBUTING.md).sandbox.tsis unchanged (permissive-openremains the default). No behavioral change for normal developer workflows.
Related Issues
How to Validate
Steps to confirm the change is in place and that normal workflows are unaffected:
grep -nE "deny default|allow default" \ packages/cli/src/utils/sandbox-macos-permissive-open.sb \ packages/cli/src/utils/sandbox-macos-permissive-proxied.sb(deny default)and no(allow default).npm test -w @google/gemini-cli -- src/utils/sandbox-macos-profiles.test.tsstill work:
read-ok,write-in-project-ok,write-outside-project-denied.gemini -s # then run: npm install, git fetch over https, and a local dev servernpm run preflight.permissive-openandpermissive-proxied(SEATBELT_PROFILE=permissive-proxied).Pre-Merge Checklist