Regression: sandbox no longer blocks commands not in excludedCommands (default-deny model broken)
Summary
Until recently (before ~v2.1.179), the sandbox with allowUnsandboxedCommands: false in managed-settings.json acted as a default-deny allowlist: commands not explicitly listed in excludedCommands were blocked. This was a key security feature for managed/enterprise deployments.
As of the current version (2.1.179), this behavior has changed: commands not in excludedCommands now run freely inside bubblewrap rather than being blocked. The sandbox was redesigned from a blocklist/allowlist model to a restriction layer model.
Steps to Reproduce
- Configure
/etc/claude-code/managed-settings.json:
{
"sandbox": {
"enabled": true,
"allowUnsandboxedCommands": false,
"excludedCommands": [
"git status",
"git diff*",
"npx eslint *"
]
}
}
- Ask Claude to run
npm install(not inexcludedCommands) - Expected (old behavior): command is blocked
- Actual (new behavior): command runs inside bubblewrap without being blocked
Expected Behavior
allowUnsandboxedCommands: false + a limited excludedCommands list should enforce a default-deny model: only listed commands are allowed to run, everything else is blocked. This is essential for controlling what Claude can execute in managed deployments.
Actual Behavior
All commands run (inside bwrap), regardless of whether they appear in excludedCommands. The excludedCommands list now only controls which commands run outside the sandbox, not which commands are permitted to run.
Additional Context
- The sandbox option was also removed from the
/configUI and/doctorno longer reports sandbox status, suggesting an intentional architectural redesign rather than a bug — but this redesign removed a critical use case without a replacement. - There is no current alternative in the permissions system to achieve default-deny-with-allowlist behavior.
deny: ["Bash(*)"]blocks everything including desired commands, andallowrules do not overridedenyrules. - OS: Ubuntu 24.04, Claude Code v2.1.179
- AppArmor bwrap profile is correctly configured — sandbox engine is functional
Impact
Managed/enterprise deployments that relied on managed-settings.json to restrict what commands Claude can execute have lost their primary access control mechanism with no documented migration path.