[BUG] Specifying `Edit(filepath)` in `permissions.deny` whilst also specifying the filepath in `denyWrite` for `sandbox` causes bwrap failures on all bash tool calls

Resolved 💬 3 comments Opened Mar 24, 2026 by JohnnyMorganz Closed May 1, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When we specify an Edit(filepath) pattern in the permissions.deny scope of settings.json, whilst also specifying the same filepath in the denyWrite section of sandboxing config, all bash tool calls fail with a bwrap error.

Use case: even if we put a file path in denyWrite for Claude Code, to prevent it from modifying that file via Bash, there is still a risk that Claude will attempt to call the Write tool to modify the file instead, which does not run inside of the sandbox (https://github.com/anthropics/claude-code/issues/26616). From testing, at least the permission prompt will show regardless of if dangerous skip permissions is enabled, however for sensitive files (shell scripts, claude code hooks or MCP server config), we want to make sure these are not editable at all, to prevent prompt fatigue. This is because shell / hooks / MCP do not run outside of the sandbox.

What Should Happen?

Bash tool call should proceed without issue

Error Messages/Logs

bwrap: Can't create file at /root/.bashrc.user: Permission denied

Steps to Reproduce

Configure your settings.json (in our case, we put this in /etc/claude-code/managed-settings.json):

{
  "sandbox": {
    "enabled": true,
    "autoAllowBashIfSandboxed": true,
    "allowUnsandboxedCommands": false,
    "filesystem": {
      "allowWrite": [
        "/tmp",
        "/run",
        "/workspace",
        "~/"
      ],
      "denyWrite": [
        "~/.bashrc.user"
      ]
    }
  },
  "permissions": {
    "deny": [
      "Edit(~/.bashrc.user)"
    ]
  }
}

Start claude and execute a bash command (e.g., ! echo "hello")

You'll see the error

 bwrap: Can't create file at /root/.bashrc.user: Permission denied

Note: works fine if filepath is a glob match (e.g., Edit(~/.claude/**)). Some filepaths also work fine (e.g., ~/.bashrc or ~/.zshrc or ~/.profile, probably because they are managed by something else)

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.78

Platform

Anthropic API

Operating System

Other Linux

Terminal/Shell

Other

Additional Information

Seems like bwrap is trying to create dummy files for the paths defined in our Edit rules?

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗