Skip to content

fix(sandbox): make ~/.gitconfig read-only in the macOS sandbox#28221

Open
ompatel-aiml wants to merge 2 commits into
google-gemini:mainfrom
ompatel-aiml:standup/2026-06-30-harden-gemini-gitconfig-write-scope
Open

fix(sandbox): make ~/.gitconfig read-only in the macOS sandbox#28221
ompatel-aiml wants to merge 2 commits into
google-gemini:mainfrom
ompatel-aiml:standup/2026-06-30-harden-gemini-gitconfig-write-scope

Conversation

@ompatel-aiml

@ompatel-aiml ompatel-aiml commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Remove ~/.gitconfig from the macOS Seatbelt sandbox's writable set so a sandboxed process can no longer modify the user's global git config. Git config can drive command execution (aliases, core.pager, core.hooksPath, etc.), so making it read-only under the sandbox closes that vector. Read access is unchanged, so normal git operations are unaffected.

Details

  • packages/cli/src/utils/sandbox-macos-*.sb (all six profiles): remove the ~/.gitconfig entry from the (allow file-write* …) block. Read access is preserved (the strict profiles keep it in file-read*; the others allow broad reads).
  • Behavior change: under the macOS sandbox, ~/.gitconfig becomes read-only. No API/CLI breaking changes.

Related Issues

N/A

How to Validate

Validated locally on macOS Seatbelt against all six profiles. Using a throwaway HOME_DIR that contains a .gitconfig file, apply each profile with sandbox-exec (supplying each profile's (param …) values; keep INCLUDE_DIR_* pointed at a separate dir so the only thing that could permit a ~/.gitconfig write is the rule under test):

# 1) write ~/.gitconfig  -> DENIED with this change (was ALLOWED before)
sandbox-exec -D HOME_DIR="$H" -D INCLUDE_DIR_0="$INC" … \
  -f packages/cli/src/utils/sandbox-macos-<profile>.sb \
  /bin/sh -c "echo x >> $H/.gitconfig"

# 2) read ~/.gitconfig  -> ALLOWED
sandbox-exec … -f <profile> /bin/cat "$H/.gitconfig"

Result for every profile (permissive / restrictive / strict × open / proxied):

write ~/.gitconfig read ~/.gitconfig
before (origin/main) ALLOWED ALLOWED
after (this PR) DENIED ALLOWED

Pre-Merge Checklist

  • Updated relevant documentation and README (if needed)
  • Added/updated tests (if needed)
  • Noted breaking changes (if any)
  • Validated on required platforms/methods:
    • MacOS
      • npm run
      • npx
      • Docker
      • Podman
      • Seatbelt
    • Windows
      • npm run
      • npx
      • Docker
    • Linux
      • npm run
      • npx
      • Docker
@github-actions github-actions Bot added the size/l A large sized PR label Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

📊 PR Size: size/XS

  • Lines changed: 6
  • Additions: +0
  • Deletions: -6
  • Files changed: 6
@github-actions github-actions Bot added the size/m A medium sized PR label Jun 30, 2026
@ompatel-aiml

Copy link
Copy Markdown
Contributor Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request restricts write access to ~/.gitconfig under macOS Seatbelt sandbox profiles and introduces Human-In-The-Loop (HITL) confirmation requirements (ASK_USER) for modifying .gemini and .gitconfig paths within the workspace. The reviewer identified a critical security vulnerability where the path-checking loop can short-circuit on an ASK_USER decision, potentially bypassing subsequent DENY validations for other paths in multi-path tool calls. A refactoring of the check method was suggested to accumulate ASK_USER decisions and prioritize DENY outcomes.

Comment thread packages/core/src/safety/built-in.ts Outdated
@github-actions github-actions Bot added the size/xs An extra small PR label Jun 30, 2026
@ompatel-aiml ompatel-aiml changed the title fix(safety): require confirmation before agent writes to .gemini and .gitconfig Jun 30, 2026
Remove ~/.gitconfig from the file-write* allow list in all six macOS Seatbelt
profiles so the sandboxed process can no longer modify the user's global git
config (git config can drive command execution via aliases, core.pager,
core.hooksPath, etc.). Read access is unchanged, so normal git operations are
unaffected.
@ompatel-aiml ompatel-aiml force-pushed the standup/2026-06-30-harden-gemini-gitconfig-write-scope branch from 12627ad to 3c236de Compare June 30, 2026 18:55
@ompatel-aiml

Copy link
Copy Markdown
Contributor Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the .gitconfig file path from various macOS sandbox configuration files, including the permissive, restrictive, and strict profiles for both open and proxied modes. This change prevents the sandboxed environment from accessing the user's global Git configuration. There are no review comments, and I have no feedback to provide.

@ompatel-aiml ompatel-aiml marked this pull request as ready for review June 30, 2026 19:49
@ompatel-aiml ompatel-aiml requested a review from a team as a code owner June 30, 2026 19:49
@ompatel-aiml ompatel-aiml enabled auto-merge June 30, 2026 19:49
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the security posture of the application by restricting write access to the user's global Git configuration file within the macOS sandbox environment. By making ~/.gitconfig read-only, we mitigate potential security risks where a sandboxed process could manipulate Git aliases or hooks to execute arbitrary commands.

Highlights

  • Security Hardening: Removed write permissions for ~/.gitconfig in all macOS Seatbelt sandbox profiles to prevent sandboxed processes from modifying global Git configurations.
  • Compatibility: Ensured that read access to ~/.gitconfig remains intact, allowing standard Git operations to continue functioning without disruption.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the access permissions for the .gitconfig file across multiple macOS sandbox profile configurations, including the permissive, restrictive, and strict variants. I have no feedback to provide.

@gemini-cli gemini-cli Bot added the status/need-issue Pull requests that need to have an associated issue. label Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/l A large sized PR size/m A medium sized PR size/xs An extra small PR status/need-issue Pull requests that need to have an associated issue.

2 participants