monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
main
greywall/examples/02-filesystem/README.md
Mathieu Virbel da3a2ac3a4 rename Fence to Greywall as GreyHaven sandboxing component 
Rebrand the project from Fence to Greywall, the sandboxing layer of the
GreyHaven platform. This updates:

- Go module path to gitea.app.monadical.io/monadical/greywall
- Binary name, CLI help text, and all usage examples
- Config paths (~/.config/greywall/greywall.json), env vars (GREYWALL_*)
- Log prefixes ([greywall:*]), temp file prefixes (greywall-*)
- All documentation, scripts, CI workflows, and example files
- README rewritten with GreyHaven branding and Fence attribution

Directory/file renames: cmd/fence → cmd/greywall, pkg/fence → pkg/greywall,
docs/why-fence.md → docs/why-greywall.md, example JSON files, and banner.
2026-02-10 16:00:24 -06:00

68 lines
1.7 KiB
Markdown
Raw Permalink Blame History

# Filesystem Sandbox Demo
This demo shows how greywall controls filesystem access with `allowWrite`, `denyWrite`, and `denyRead`.
## What it demonstrates
| Operation | Without Greywall | With Greywall |
|-----------|---------------|------------|
| Write to `./output/` | ✓ | ✓ (in allowWrite) |
| Write to `./` | ✓ | ✗ (not in allowWrite) |
| Write to `.env` | ✓ | ✗ (in denyWrite) |
| Write to `*.key` | ✓ | ✗ (in denyWrite) |
| Read `./demo.py` | ✓ | ✓ (allowed by default) |
| Read `/etc/shadow` | ✗ | ✗ (in denyRead) |
| Read `/etc/passwd` | ✓ | ✗ (in denyRead) |
## Run the demo
### Without greywall (all writes succeed)
```bash
python demo.py
```
### With greywall (unauthorized operations blocked)
```bash
greywall --settings greywall.json python demo.py
```
## Greywall config
```json
{
"filesystem": {
"allowWrite": ["./output"],
"denyWrite": [".env", "*.key"],
"denyRead": ["/etc/shadow", "/etc/passwd"]
}
}
```
### How it works
1. **allowWrite** - Only paths listed here are writable. Everything else is read-only.
2. **denyWrite** - These paths are blocked even if they'd otherwise be allowed. Useful for protecting secrets.
3. **denyRead** - Block reads from sensitive system files.
## Key settings
| Setting | Default | Purpose |
|---------|---------|---------|
| `allowWrite` | `[]` (nothing) | Directories where writes are allowed |
| `denyWrite` | `[]` | Paths to block writes (overrides allowWrite) |
| `denyRead` | `[]` | Paths to block reads |
## Protected paths
Greywall also automatically protects certain paths regardless of config:
- Shell configs: `.bashrc`, `.zshrc`, `.profile`
- Git hooks: `.git/hooks/*`
- Git config: `.gitconfig`
See [ARCHITECTURE.md](../../ARCHITECTURE.md) for the full list.
Reference in New Issue View Git Blame Copy Permalink