Sandbox bind-mounts of nonexistent deny-listed paths appear as untracked files in git status
Summary
On Linux, the Claude Code sandbox uses bind mounts to enforce filesystem deny lists. When a deny-listed path (e.g. .gitmodules, .env, .netrc, .npmrc, id_rsa, id_ed25519) does not exist in the user's repository, the sandbox still creates a phantom bind mount at that path. This pollutes git status with untracked entries that did not exist before the session.
Environment
- OS: Linux 6.17.0-1014-nvidia
- Shell: bash
- Sandbox: enabled (default)
Reproduction
- Open a git repository that does not contain a
.gitmodulesfile (no submodules). - Start a Claude Code session with the sandbox enabled.
- Run
git status.
Expected: clean working tree.
Actual:
?? .gitmodules
Inspecting /proc/self/mounts confirms the phantom mount:
udev /path/to/repo/.gitmodules devtmpfs ro,nosuid,nodev,relatime,...,mode=755 0 0
stat shows it as a character device matching /dev/null (major=1, minor=3):
.gitmodules type=character special file mode=666 major=1 minor=3
The same pattern occurs for every entry in read.denyOnly whose path does not exist in the repo (.env, .envrc, .netrc, .npmrc, id_rsa, id_ed25519, etc.).
Impact
git statusis no longer clean across sessions, making diff review noisier.git add -A/git add .could accidentally stage these phantom paths.- Names like
.gitmodulescollide with real git semantics, so a repo-global.gitignoreentry is risky. - The only workaround is per-repo
.git/info/exclude, which each user must maintain manually.
Current workaround
printf '%s\n' '.gitmodules' >> .git/info/exclude
Documented configuration reviewed
The documented sandbox keys (sandbox.filesystem.allowWrite / denyWrite / allowRead / denyRead) control what Claude Code can access, not which host paths get bind-mounted. There appears to be no documented setting to suppress mounts for nonexistent deny-listed paths.
Feature request
Provide an officially supported way to prevent phantom mounts from polluting the working tree. Possible designs:
- Skip-if-missing: only bind-mount deny-listed paths when they already exist on the host. Phantom mounts add no security value when the path is absent — there is nothing to protect.
- Settings flag: e.g.
sandbox.filesystem.skipMissingMounts: true. - Auto-manage
.git/info/exclude: optionally append phantom mount paths to.git/info/excludeon session start.
Option 1 seems cleanest and likely a no-op for security since bind-mounting /dev/null over a nonexistent path adds no protection beyond denyRead enforcement at the syscall layer.
Additional context
This was investigated during a session where .gitmodules consistently appeared in git status despite the repository having no submodules.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗