qwen-code/packages/cli/src/utils/sandbox-macos-permissive-proxied.sb

(version 1)

;; allow everything by default
(allow default)

;; deny all writes EXCEPT under specific paths
(deny file-write*)
(allow file-write*
    (subpath (param "TARGET_DIR"))
    (subpath (param "TMP_DIR"))
    (subpath (param "CACHE_DIR"))
    (subpath (string-append (param "HOME_DIR") "/.gemini"))
    (subpath (string-append (param "HOME_DIR") "/.npm"))
    (subpath (string-append (param "HOME_DIR") "/.cache"))
    (subpath (string-append (param "HOME_DIR") "/.gitconfig"))
    (literal "/dev/stdout")
    (literal "/dev/stderr")
    (literal "/dev/null")
)

;; deny all inbound network traffic EXCEPT on debugger port
(deny network-inbound)
(allow network-inbound (local ip "localhost:9229"))

;; deny all outbound network traffic EXCEPT through proxy on localhost:8877
;; set `GEMINI_SANDBOX_PROXY_COMMAND=<command>` to run proxy alongside sandbox
;; proxy must listen on :::8877 (see scripts/example-proxy.js)
(deny network-outbound)
(allow network-outbound (remote tcp "localhost:8877"))

(allow network-bind (local ip "*:*"))
use seatbelt on macos, with two profiles: minimal (default) which only restricts writes, and strict, which is deny-by-default and only allows specific operations (#283) 2025-05-07 20:03:29 -07:00			`(version 1)`

			`;; allow everything by default`
			`(allow default)`

adjust seatbelt to allow write into specific dirs under user home (#289) 2025-05-08 11:28:45 -07:00			`;; deny all writes EXCEPT under specific paths`
use seatbelt on macos, with two profiles: minimal (default) which only restricts writes, and strict, which is deny-by-default and only allows specific operations (#283) 2025-05-07 20:03:29 -07:00			`(deny file-write*)`
			`(allow file-write*`
			`(subpath (param "TARGET_DIR"))`
			`(subpath (param "TMP_DIR"))`
allow writing to user cache directory on macos (fixes use of lyria mcp server [to generate songs] under seatbelt) (#600) 2025-05-29 15:06:09 -07:00			`(subpath (param "CACHE_DIR"))`
adjust seatbelt to allow write into specific dirs under user home (#289) 2025-05-08 11:28:45 -07:00			`(subpath (string-append (param "HOME_DIR") "/.gemini"))`
			`(subpath (string-append (param "HOME_DIR") "/.npm"))`
fix MCP under seatbelt, improve error handling (#301) 2025-05-09 09:02:14 -07:00			`(subpath (string-append (param "HOME_DIR") "/.cache"))`
allow write to ~/.gitconfig in seatbelt profiles (#509) 2025-05-23 07:56:43 -07:00			`(subpath (string-append (param "HOME_DIR") "/.gitconfig"))`
use seatbelt on macos, with two profiles: minimal (default) which only restricts writes, and strict, which is deny-by-default and only allows specific operations (#283) 2025-05-07 20:03:29 -07:00			`(literal "/dev/stdout")`
			`(literal "/dev/stderr")`
			`(literal "/dev/null")`
restricted networking for all sandboxing methods, new seatbelt profiles, updated docs, fixes to sandbox build, debugging through sandbox (#891) 2025-06-10 08:58:37 -07:00			`)`

			`;; deny all inbound network traffic EXCEPT on debugger port`
			`(deny network-inbound)`
			`(allow network-inbound (local ip "localhost:9229"))`

			`;; deny all outbound network traffic EXCEPT through proxy on localhost:8877`
			;; set `GEMINI_SANDBOX_PROXY_COMMAND=<command>` to run proxy alongside sandbox
fixes to proxy on macos: prevent curl from hanging during wait-for-proxy by adding ipv6 support and timeout (#947) 2025-06-11 11:31:38 -07:00			`;; proxy must listen on :::8877 (see scripts/example-proxy.js)`
restricted networking for all sandboxing methods, new seatbelt profiles, updated docs, fixes to sandbox build, debugging through sandbox (#891) 2025-06-10 08:58:37 -07:00			`(deny network-outbound)`
			`(allow network-outbound (remote tcp "localhost:8877"))`

			`(allow network-bind (local ip ":"))`