[BUG] Sandbox fails when denyRead paths don't exist: bwrap can't mount tmpfs on non-existent directory

Resolved 💬 3 comments Opened Mar 26, 2026 by fanmeng-felix Closed May 19, 2026

Bug description

The sandbox crashes all Bash tool calls when a path listed in sandbox.read.denyOnly does not exist on the filesystem. Bubblewrap (bwrap) attempts to mount a tmpfs over each denied path but fails if the directory is missing.

Error message

bwrap: Can't mount tmpfs on /newroot/home/<user>/.aws: No such file or directory

Steps to reproduce

  1. Ensure ~/.aws does not exist on the filesystem (e.g. AWS CLI is not installed)
  2. Start Claude Code — the default sandbox config includes ~/.aws in read.denyOnly
  3. Any Bash tool call fails with the above error

Expected behavior

The sandbox should skip deny-mount for paths that don't exist on the filesystem. There is nothing to protect if the directory doesn't exist, and failing breaks all Bash commands.

Workaround

mkdir -p ~/.aws — but this is not ideal because:

  • Users shouldn't need to create dummy directories for the sandbox to function
  • If ~/.aws is removed from the deny list instead, credentials added later would be silently exposed

Environment

  • Platform: Linux (WSL2)
  • Kernel: 6.6.87.2-microsoft-standard-WSL2
  • Shell: bash

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗