summaryrefslogtreecommitdiff
path: root/packages/cli/src/utils/sandbox-macos-permissive-proxied.sb
diff options
context:
space:
mode:
Diffstat (limited to 'packages/cli/src/utils/sandbox-macos-permissive-proxied.sb')
-rw-r--r--packages/cli/src/utils/sandbox-macos-permissive-proxied.sb31
1 files changed, 31 insertions, 0 deletions
diff --git a/packages/cli/src/utils/sandbox-macos-permissive-proxied.sb b/packages/cli/src/utils/sandbox-macos-permissive-proxied.sb
new file mode 100644
index 00000000..861e503d
--- /dev/null
+++ b/packages/cli/src/utils/sandbox-macos-permissive-proxied.sb
@@ -0,0 +1,31 @@
+(version 1)
+
+;; allow everything by default
+(allow default)
+
+;; deny all writes EXCEPT under specific paths
+(deny file-write*)
+(allow file-write*
+ (subpath (param "TARGET_DIR"))
+ (subpath (param "TMP_DIR"))
+ (subpath (param "CACHE_DIR"))
+ (subpath (string-append (param "HOME_DIR") "/.gemini"))
+ (subpath (string-append (param "HOME_DIR") "/.npm"))
+ (subpath (string-append (param "HOME_DIR") "/.cache"))
+ (subpath (string-append (param "HOME_DIR") "/.gitconfig"))
+ (literal "/dev/stdout")
+ (literal "/dev/stderr")
+ (literal "/dev/null")
+)
+
+;; deny all inbound network traffic EXCEPT on debugger port
+(deny network-inbound)
+(allow network-inbound (local ip "localhost:9229"))
+
+;; deny all outbound network traffic EXCEPT through proxy on localhost:8877
+;; set `GEMINI_SANDBOX_PROXY_COMMAND=<command>` to run proxy alongside sandbox
+;; proxy must listen on 0.0.0.0:8877 (see scripts/example-proxy.js)
+(deny network-outbound)
+(allow network-outbound (remote tcp "localhost:8877"))
+
+(allow network-bind (local ip "*:*"))
generated by cgit v1.2.3 (git 2.51.0) at 2025-12-01 07:04:36 +0000