fix(core): allow explicit write permissions to override governance file protections in sandboxes#25338
fix(core): allow explicit write permissions to override governance file protections in sandboxes#25338
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses an issue where strict read-only protections for sensitive governance files and git worktrees were unconditionally overriding user-defined write permissions in sandboxed environments. By adjusting the argument generation logic for both Linux (bwrap) and macOS (Seatbelt), the system now correctly respects explicit write policies. Additionally, a minor improvement was made to the PolicyEngine to ensure that YOLO mode correctly maintains its intended behavior when encountering commands flagged as dangerous. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request modifies the policy engine and sandbox builders to allow explicit write permissions to override default protections for sensitive directories (like .git) and ensures YOLO mode preserves ALLOW decisions for dangerous commands. Critical security feedback highlights that allowing policyWrite to override governance and worktree protections creates a sandbox bypass risk, potentially leading to remote code execution via git hooks. Furthermore, the macOS Seatbelt implementation requires improvements for consistent symbolic link resolution and more robust path matching logic.
|
Size Change: +3.55 kB (+0.01%) Total Size: 33.6 MB
ℹ️ View Unchanged
|
gemini-cli
bot
added
the
priority/p1
|
Can you add unit tests as well as coverage in |
…nance files Refactored bubblewrap argument generation in LinuxSandboxManager to improve reliability and security. Specifically: - Added automatic write access to .git when running git commands in a writable workspace. - Allowed implicit write access to .gitignore and .geminiignore when the workspace is writable. - Improved mount ordering by destination path length to prevent hierarchical masking issues. - Added integration tests to verify write access for governance and git files.
Refactored `LinuxSandboxManager` to use `shell-utils` for more reliable command root identification, ensuring `.git` write permissions are correctly applied even for complex shell-wrapped commands. Updated integration tests to verify this behavior.
…nance files Refactored macOS sandbox to improve write access management for git and governance files, aligning with the Linux implementation. Specifically: - Implemented automatic .git write permission in MacOsSandboxManager when git commands are detected in a writable workspace. - Updated seatbeltArgsBuilder to implicitly allow write access to .gitignore and .geminiignore when the workspace is writable. - Utilized shell-utils for robust git command detection.
…h escaping - Implemented automatic .git write access in WindowsSandboxManager for git commands in writable workspaces. - Fixed backslash escaping issues in sandbox integration tests on Windows by using double quotes for paths in sh -c commands. - Updated Windows command detection to use shell-utils for consistency with Linux and macOS.
|
4 participants
Summary
This PR fixes an issue where strict read-only protections for governance files (like
.gitdirectories) overrode explicit write permissions. By updating the sandbox arguments builder for both macOS (Seatbelt) and Linux (bwrap), explicit write allowances now correctly take precedence, allowing users to modify these protected paths when intentionally configured.Details
Previously, git worktree read-only rules or other governance file denials were being enforced unconditionally, conflicting with any explicit
policyWritebindings set by the user or system configuration.--bind-tryfor explicit write paths so they occur after the--ro-bind-tryconfigurations for governance files and git worktrees. This allows bwrap to prioritize the later explicit write rules.(deny file-write* ...)rules for governance files and git worktrees. If the path or a parent path is explicitly present inresolvedPaths.policyWrite, the deny rule is skipped for that path.Related Issues
How to Validate
npm run test -w @google/gemini-cli-core -- src/sandbox/linux/bwrapArgsBuilder.test.ts.gitworktree file without explicit write permissions (should be denied)..gitdirectory (should succeed).Pre-Merge Checklist