Regression: sandbox no longer blocks commands not in excludedCommands (default-deny model broken)

Open 💬 0 comments Opened Jun 17, 2026 by fethabo

Summary

Until recently (before ~v2.1.179), the sandbox with allowUnsandboxedCommands: false in managed-settings.json acted as a default-deny allowlist: commands not explicitly listed in excludedCommands were blocked. This was a key security feature for managed/enterprise deployments.

As of the current version (2.1.179), this behavior has changed: commands not in excludedCommands now run freely inside bubblewrap rather than being blocked. The sandbox was redesigned from a blocklist/allowlist model to a restriction layer model.

Steps to Reproduce

  1. Configure /etc/claude-code/managed-settings.json:
{
  "sandbox": {
    "enabled": true,
    "allowUnsandboxedCommands": false,
    "excludedCommands": [
      "git status",
      "git diff*",
      "npx eslint *"
    ]
  }
}
  1. Ask Claude to run npm install (not in excludedCommands)
  2. Expected (old behavior): command is blocked
  3. Actual (new behavior): command runs inside bubblewrap without being blocked

Expected Behavior

allowUnsandboxedCommands: false + a limited excludedCommands list should enforce a default-deny model: only listed commands are allowed to run, everything else is blocked. This is essential for controlling what Claude can execute in managed deployments.

Actual Behavior

All commands run (inside bwrap), regardless of whether they appear in excludedCommands. The excludedCommands list now only controls which commands run outside the sandbox, not which commands are permitted to run.

Additional Context

  • The sandbox option was also removed from the /config UI and /doctor no longer reports sandbox status, suggesting an intentional architectural redesign rather than a bug — but this redesign removed a critical use case without a replacement.
  • There is no current alternative in the permissions system to achieve default-deny-with-allowlist behavior. deny: ["Bash(*)"] blocks everything including desired commands, and allow rules do not override deny rules.
  • OS: Ubuntu 24.04, Claude Code v2.1.179
  • AppArmor bwrap profile is correctly configured — sandbox engine is functional

Impact

Managed/enterprise deployments that relied on managed-settings.json to restrict what commands Claude can execute have lost their primary access control mechanism with no documented migration path.

View original on GitHub ↗