Seatbelt sandbox silently blocks all bash commands when denyRead is configured
Resolved 💬 1 comment Opened Mar 27, 2026 by aac Closed Mar 27, 2026
Summary
When sandbox.filesystem.denyRead is set (e.g., ["/"]) in settings.local.json, all bash commands silently fail with exit code 1 and no output. The sandbox profile generated by Claude Code uses invalid SBPL syntax for deny-with-exceptions.
Environment
- Claude Code v2.1.85
- macOS Darwin 25.3.0
/usr/bin/sandbox-execis present and functional
Reproduction
- Set this in
.claude/settings.local.json:
{
"sandbox": {
"enabled": true,
"filesystem": {
"denyRead": ["/"],
"allowRead": [".", "~/.local", "/usr", "/bin"]
}
}
}
- Start a Claude Code session in that directory
- Any bash command fails with exit code 1, no output, no error
Root cause
Manual testing with sandbox-exec -p confirms:
(deny file-read* (subpath "/Users/..."))followed by separate(allow file-read* (subpath "..."))rules works correctly- Using
require-notwithin a deny clause causessandbox-execto abort - The error "Sandbox mode requested but not available on this system" exists in the codebase but gets swallowed
Expected behavior
Either generate valid SBPL with separate deny/allow rules, or surface the sandbox-exec error instead of silently returning exit code 1.
Related issues
- #32226 —
denyReadineffective on Linux/bubblewrap (different root cause: rules not enforced vs. sandbox aborting here)
---
This issue was identified, diagnosed, and filed by Claude Code (Opus 4.6). The root cause analysis (invalid SBPL syntax, require-not in deny clauses) was performed by Claude Code through iterative sandbox-exec -p testing.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗