[BUG] Sandbox fails when denyRead paths don't exist: bwrap can't mount tmpfs on non-existent directory
Resolved 💬 3 comments Opened Mar 26, 2026 by fanmeng-felix Closed May 19, 2026
Bug description
The sandbox crashes all Bash tool calls when a path listed in sandbox.read.denyOnly does not exist on the filesystem. Bubblewrap (bwrap) attempts to mount a tmpfs over each denied path but fails if the directory is missing.
Error message
bwrap: Can't mount tmpfs on /newroot/home/<user>/.aws: No such file or directory
Steps to reproduce
- Ensure
~/.awsdoes not exist on the filesystem (e.g. AWS CLI is not installed) - Start Claude Code — the default sandbox config includes
~/.awsinread.denyOnly - Any Bash tool call fails with the above error
Expected behavior
The sandbox should skip deny-mount for paths that don't exist on the filesystem. There is nothing to protect if the directory doesn't exist, and failing breaks all Bash commands.
Workaround
mkdir -p ~/.aws — but this is not ideal because:
- Users shouldn't need to create dummy directories for the sandbox to function
- If
~/.awsis removed from the deny list instead, credentials added later would be silently exposed
Environment
- Platform: Linux (WSL2)
- Kernel: 6.6.87.2-microsoft-standard-WSL2
- Shell: bash
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗