Sandbox bind-mounts of nonexistent deny-listed paths appear as untracked files in git status

Resolved 💬 3 comments Opened Apr 28, 2026 by toku345 Closed Apr 28, 2026

Summary

On Linux, the Claude Code sandbox uses bind mounts to enforce filesystem deny lists. When a deny-listed path (e.g. .gitmodules, .env, .netrc, .npmrc, id_rsa, id_ed25519) does not exist in the user's repository, the sandbox still creates a phantom bind mount at that path. This pollutes git status with untracked entries that did not exist before the session.

Environment

  • OS: Linux 6.17.0-1014-nvidia
  • Shell: bash
  • Sandbox: enabled (default)

Reproduction

  1. Open a git repository that does not contain a .gitmodules file (no submodules).
  2. Start a Claude Code session with the sandbox enabled.
  3. Run git status.

Expected: clean working tree.
Actual:

?? .gitmodules

Inspecting /proc/self/mounts confirms the phantom mount:

udev /path/to/repo/.gitmodules devtmpfs ro,nosuid,nodev,relatime,...,mode=755 0 0

stat shows it as a character device matching /dev/null (major=1, minor=3):

.gitmodules type=character special file mode=666 major=1 minor=3

The same pattern occurs for every entry in read.denyOnly whose path does not exist in the repo (.env, .envrc, .netrc, .npmrc, id_rsa, id_ed25519, etc.).

Impact

  • git status is no longer clean across sessions, making diff review noisier.
  • git add -A / git add . could accidentally stage these phantom paths.
  • Names like .gitmodules collide with real git semantics, so a repo-global .gitignore entry is risky.
  • The only workaround is per-repo .git/info/exclude, which each user must maintain manually.

Current workaround

printf '%s\n' '.gitmodules' >> .git/info/exclude

Documented configuration reviewed

The documented sandbox keys (sandbox.filesystem.allowWrite / denyWrite / allowRead / denyRead) control what Claude Code can access, not which host paths get bind-mounted. There appears to be no documented setting to suppress mounts for nonexistent deny-listed paths.

Feature request

Provide an officially supported way to prevent phantom mounts from polluting the working tree. Possible designs:

  1. Skip-if-missing: only bind-mount deny-listed paths when they already exist on the host. Phantom mounts add no security value when the path is absent — there is nothing to protect.
  2. Settings flag: e.g. sandbox.filesystem.skipMissingMounts: true.
  3. Auto-manage .git/info/exclude: optionally append phantom mount paths to .git/info/exclude on session start.

Option 1 seems cleanest and likely a no-op for security since bind-mounting /dev/null over a nonexistent path adds no protection beyond denyRead enforcement at the syscall layer.

Additional context

This was investigated during a session where .gitmodules consistently appeared in git status despite the repository having no submodules.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗