Tools: A Deny Read Bug in Claude Code's Bubblewrap Sandbox
Why sandbox is required for Claude Code's deny rules
The issue
Root cause
Conclusion
Supporting independent security research While using the sandbox behavior of Claude Code on Linux, I discovered a bug where deny read rules did not work correctly in environments using Bubblewrap. I tested and reported the issue to Anthropic, and it has now been fixed.
The fix is included in Claude Code 2.1.40 and later. Sometimes users report that Claude ignores instructions like “do not read this file.” However, these restrictions should not rely on prompts alone.Access control must be enforced by the runtime harness configuration. Claude Code provides a permissions.deny mechanism to block access to specific files. However, for these rules to work reliably, sandboxing must be enabled. Without sandboxing, Read is blocked by ClaudeCode, but Bash cannot be prevented. Another common mistake is enabling dangerously-skip-permissions together with sandboxing.When this option is enabled, commands that disable the sandbox may be automatically approved, effectively bypassing the sandbox. The recommended setup is: While testing sandbox behavior, I found that certain deny rules were not enforced correctly on Linux. Specifically, rules that included wildcard patterns such as * allowed file access through Bash under certain conditions. This pattern appears in the official documentation, so it is something users should be aware of. Example configuration: Documentation reference: https://code.claude.com/docs/en/settings#excluding-sensitive-files Claude Code’s Linux sandbox uses Bubblewrap to enforce filesystem restrictions. One mechanism used by Bubblewrap is to mount /dev/null over paths that should be unreadable. However, the implementation did not correctly handle paths that contained wildcard patterns such as *. As a result, the deny rule was not properly enforced in some cases, allowing file access through Bash commands. This issue has now been fixed in Claude Code 2.1.40. Sandboxing is an important safety mechanism when using AI coding agents. This issue was discovered while evaluating the sandbox behavior of Claude Code.It has now been fixed, so users should upgrade to the latest version. This investigation was conducted using my own time and Claude Code tokens. I paused my regular work to investigate and debug this issue. Even when a report is accepted, the overall effort can still be financially negative. Submitting vulnerability reports also does not guarantee that they will be accepted or recognized as valid issues. If you found this research useful and would like to support further work like this, please consider supporting me: ☕ https://ko-fi.com/impactaky
⭐ https://github.com/sponsors/impactaky Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
