monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
70d0685c97fcb061f6847b5f9ab9a0fee4cff886
greywall/examples/02-filesystem/README.md
Mathieu Virbel da3a2ac3a4 rename Fence to Greywall as GreyHaven sandboxing component 
Rebrand the project from Fence to Greywall, the sandboxing layer of the
GreyHaven platform. This updates:

- Go module path to gitea.app.monadical.io/monadical/greywall
- Binary name, CLI help text, and all usage examples
- Config paths (~/.config/greywall/greywall.json), env vars (GREYWALL_*)
- Log prefixes ([greywall:*]), temp file prefixes (greywall-*)
- All documentation, scripts, CI workflows, and example files
- README rewritten with GreyHaven branding and Fence attribution

Directory/file renames: cmd/fence → cmd/greywall, pkg/fence → pkg/greywall,
docs/why-fence.md → docs/why-greywall.md, example JSON files, and banner.
2026-02-10 16:00:24 -06:00

1.7 KiB
Raw Blame History

Filesystem Sandbox Demo

This demo shows how greywall controls filesystem access with allowWrite, denyWrite, and denyRead.

What it demonstrates

Operation Without Greywall With Greywall
Write to ./output/ ✓ (in allowWrite)
Write to ./ ✗ (not in allowWrite)
Write to .env ✗ (in denyWrite)
Write to *.key ✗ (in denyWrite)
Read ./demo.py ✓ (allowed by default)
Read /etc/shadow ✗ (in denyRead)
Read /etc/passwd ✗ (in denyRead)

Run the demo

Without greywall (all writes succeed)

python demo.py

With greywall (unauthorized operations blocked)

greywall --settings greywall.json python demo.py

Greywall config

{
  "filesystem": {
    "allowWrite": ["./output"],
    "denyWrite": [".env", "*.key"],
    "denyRead": ["/etc/shadow", "/etc/passwd"]
  }
}

How it works

  1. allowWrite - Only paths listed here are writable. Everything else is read-only.

  2. denyWrite - These paths are blocked even if they'd otherwise be allowed. Useful for protecting secrets.

  3. denyRead - Block reads from sensitive system files.

Key settings

Setting Default Purpose
allowWrite [] (nothing) Directories where writes are allowed
denyWrite [] Paths to block writes (overrides allowWrite)
denyRead [] Paths to block reads

Protected paths

Greywall also automatically protects certain paths regardless of config:

  • Shell configs: .bashrc, .zshrc, .profile
  • Git hooks: .git/hooks/*
  • Git config: .gitconfig

See ARCHITECTURE.md for the full list.

Reference in New Issue View Git Blame Copy Permalink