Mathieu Virbel
5affaf77a5
Flip the sandbox from allow-by-default reads (--ro-bind / /) to deny-by-default (--tmpfs / with selective mounts). This makes the sandbox safer by default — only system paths, CWD, and explicitly allowed paths are accessible. - Config: DefaultDenyRead is now *bool (nil = true, deny-by-default) with IsDefaultDenyRead() helper; opt out via "defaultDenyRead": false - Linux: new buildDenyByDefaultMounts() using --tmpfs / + selective --ro-bind for system paths, --symlink for merged-usr distros (Arch), --bind for CWD, and --ro-bind for user tooling/shell configs/caches - macOS: generateReadRules() adds CWD subpath, ancestor traversal, home shell configs/caches; generateWriteRules() auto-allows CWD - Landlock: deny-by-default mode allows only specific user tooling paths instead of blanket home directory read access - Sensitive .env files masked within CWD via empty-file overlay on Linux and deny rules on macOS - Learning templates now include allowRead and .env deny patterns
Greywall
The sandboxing layer of the GreyHaven platform.
Greywall wraps commands in a sandbox that blocks network access by default and restricts filesystem operations. It is the core sandboxing component of the GreyHaven platform, providing defense-in-depth for running untrusted code.
# Block all network access (default)
greywall curl https://example.com # → 403 Forbidden
# Allow specific domains
greywall -t code npm install # → uses 'code' template with npm/pypi/etc allowed
# Block dangerous commands
greywall -c "rm -rf /" # → blocked by command deny rules
Greywall also works as a permission manager for CLI agents. Greywall works with popular coding agents like Claude Code, Codex, Gemini CLI, Cursor Agent, OpenCode, Factory (Droid) CLI, etc. See agents.md for more details.
Install
macOS / Linux:
curl -fsSL https://gitea.app.monadical.io/monadical/greywall/raw/branch/main/install.sh | sh
Other installation methods
Go install:
go install gitea.app.monadical.io/monadical/greywall/cmd/greywall@latest
Build from source:
git clone https://gitea.app.monadical.io/monadical/greywall
cd greywall
go build -o greywall ./cmd/greywall
Additional requirements for Linux:
bubblewrap(for sandboxing)socat(for network bridging)bpftrace(optional, for filesystem violation visibility when monitoring with-m)
Usage
Basic
# Run command with all network blocked (no domains allowed by default)
greywall curl https://example.com
# Run with shell expansion
greywall -c "echo hello && ls"
# Enable debug logging
greywall -d curl https://example.com
# Use a template
greywall -t code -- claude # Runs Claude Code using `code` template config
# Monitor mode (shows violations)
greywall -m npm install
# Show all commands and options
greywall --help
Configuration
Greywall reads from ~/.config/greywall/greywall.json by default (or ~/Library/Application Support/greywall/greywall.json on macOS).
{
"extends": "code",
"network": { "allowedDomains": ["private.company.com"] },
"filesystem": { "allowWrite": ["."] },
"command": { "deny": ["git push", "npm publish"] }
}
Use greywall --settings ./custom.json to specify a different config.
Import from Claude Code
greywall import --claude --save
Features
- Network isolation - All outbound blocked by default; allowlist domains via config
- Filesystem restrictions - Control read/write access paths
- Command blocking - Deny dangerous commands like
rm -rf /,git push - SSH Command Filtering - Control which hosts and commands are allowed over SSH
- Built-in templates - Pre-configured rulesets for common workflows
- Violation monitoring - Real-time logging of blocked requests (
-m) - Cross-platform - macOS (sandbox-exec) + Linux (bubblewrap)
Greywall can be used as a Go package or CLI tool.
Documentation
- Index
- Quickstart Guide
- Configuration Reference
- Security Model
- Architecture
- Library Usage (Go)
- Examples
Attribution
Greywall is based on Fence by Use-Tusk.
Inspired by Anthropic's sandbox-runtime.