From cac7aaae575ab241abdab53c4606b38e9c7b4418 Mon Sep 17 00:00:00 2001 From: Mathieu Virbel Date: Thu, 12 Mar 2026 12:00:02 -0600 Subject: [PATCH] fix: add user-configured allowRead paths to Landlock ruleset ApplyLandlockFromConfig was not processing cfg.Filesystem.AllowRead paths, causing them to be blocked by Landlock despite bwrap mounting them correctly as read-only. This made files like ~/.gitconfig inaccessible inside the sandbox when using DefaultDenyRead mode. Closes #6 --- internal/sandbox/linux_landlock.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/internal/sandbox/linux_landlock.go b/internal/sandbox/linux_landlock.go index 77ae114..c7a2fed 100644 --- a/internal/sandbox/linux_landlock.go +++ b/internal/sandbox/linux_landlock.go @@ -152,6 +152,25 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin } } + // User-configured allowRead paths + if cfg != nil && cfg.Filesystem.AllowRead != nil { + expandedPaths := ExpandGlobPatterns(cfg.Filesystem.AllowRead) + for _, p := range expandedPaths { + if err := ruleset.AllowRead(p); err != nil && debug { + fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add read path %s: %v\n", p, err) + } + } + // Also add non-glob paths directly + for _, p := range cfg.Filesystem.AllowRead { + if !ContainsGlobChars(p) { + normalized := NormalizePath(p) + if err := ruleset.AllowRead(normalized); err != nil && debug { + fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add read path %s: %v\n", normalized, err) + } + } + } + } + // User-configured allowWrite paths if cfg != nil && cfg.Filesystem.AllowWrite != nil { expandedPaths := ExpandGlobPatterns(cfg.Filesystem.AllowWrite)