monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
main
greywall/examples/02-filesystem/README.md
Mathieu Virbel da3a2ac3a4 rename Fence to Greywall as GreyHaven sandboxing component 
Rebrand the project from Fence to Greywall, the sandboxing layer of the
GreyHaven platform. This updates:

- Go module path to gitea.app.monadical.io/monadical/greywall
- Binary name, CLI help text, and all usage examples
- Config paths (~/.config/greywall/greywall.json), env vars (GREYWALL_*)
- Log prefixes ([greywall:*]), temp file prefixes (greywall-*)
- All documentation, scripts, CI workflows, and example files
- README rewritten with GreyHaven branding and Fence attribution

Directory/file renames: cmd/fence → cmd/greywall, pkg/fence → pkg/greywall,
docs/why-fence.md → docs/why-greywall.md, example JSON files, and banner.
2026-02-10 16:00:24 -06:00

1.7 KiB
Raw Permalink Blame History

Filesystem Sandbox Demo

This demo shows how greywall controls filesystem access with allowWrite, denyWrite, and denyRead.

What it demonstrates

Operation Without Greywall With Greywall
Write to ./output/ ✓ (in allowWrite)
Write to ./ ✗ (not in allowWrite)
Write to .env ✗ (in denyWrite)
Write to *.key ✗ (in denyWrite)
Read ./demo.py ✓ (allowed by default)
Read /etc/shadow ✗ (in denyRead)
Read /etc/passwd ✗ (in denyRead)

Run the demo

Without greywall (all writes succeed)

python demo.py

With greywall (unauthorized operations blocked)

greywall --settings greywall.json python demo.py

Greywall config

{
  "filesystem": {
    "allowWrite": ["./output"],
    "denyWrite": [".env", "*.key"],
    "denyRead": ["/etc/shadow", "/etc/passwd"]
  }
}

How it works

  1. allowWrite - Only paths listed here are writable. Everything else is read-only.

  2. denyWrite - These paths are blocked even if they'd otherwise be allowed. Useful for protecting secrets.

  3. denyRead - Block reads from sensitive system files.

Key settings

Setting Default Purpose
allowWrite [] (nothing) Directories where writes are allowed
denyWrite [] Paths to block writes (overrides allowWrite)
denyRead [] Paths to block reads

Protected paths

Greywall also automatically protects certain paths regardless of config:

  • Shell configs: .bashrc, .zshrc, .profile
  • Git hooks: .git/hooks/*
  • Git config: .gitconfig

See ARCHITECTURE.md for the full list.

Reference in New Issue View Git Blame Copy Permalink