Allow cwd but block .env

[agardnerIT]

Hi all, I'm trying to allow the current directory but disallow the .env file in that directory.

.env

export FOO=BAR123

{
  "meta": {
    "name": "my-second-profile",
    "version": "0.0.2",
    "description": "My second profile"
  },
  "workdir": {
    "access": "read"
  },
    "policy": {
    "override_deny": ["./.env"]
  },
  "network": {
    "block": true
  }
}

[lukehinds]

hi @agardnerIT - version 18 will solve this for you

{
  "meta": {
    "name": "env"
  },
  "workdir": {
    "access": "readwrite"
  },
  "extends": "claude-code",
  "policy": {
    "add_deny_access": ["$WORKDIR/.env"]
  }
}

[agardnerIT]

Yup, this works now. Fabulous!

[quinncomendant]

Keep in mind everything in your sandbox will fail to access .env, e.g., Claude Code running tests may require loading the .env, which will also fail. It's a hard problem to solve if you want low friction with agents in a sandbox. Using proxied fake credentials in env vars lets things run in the sandbox without exposing the real creds.

[poliveira89]

@lukehinds is there the CLI equivalent? or this is just profile feature?

[poliveira89]

This is not working on v0.57.0

warning: deprecated key 'policy.add_deny_access' — use 'filesystem.deny' instead (will be removed in v1.0.0, #594)
warning: deprecated key 'policy.add_deny_access' — use 'filesystem.deny' instead (will be removed in v1.0.0, #594)
  Share /home/me/project with read+write access?
  use --allow-cwd to skip this prompt
  [y/N] y
nono: Sandbox initialization failed: Landlock deny-overlap is not enforceable on Linux. Refusing to start with conflicting policy.
1 deny rule(s) cannot apply under an allowed parent directory.
Conflicts:
- deny '/home/me/project/.env' overlaps allowed parent '/home/me/project' (source: user)
Remove the broad allow path, remove the deny path, or restructure permissions.

[lukehinds]

hi @poliveira89 sorry for such a later answer - this is a disparity between macos and linux.

On Linux today there is no way to "allow the whole workdir but carve out .env" with a single broad grant. The only workaround that works on Linux right now is to not grant the whole directory - grant the specific subpaths the agent needs instead (so .env is simply never in the allow-list), e.g. allow ./src, ./tests, etc. rather than the cwd root. This is by design of how Landlock works. Landlock is strictly allow-list: there is no "deny a child of an allowed parent" primitive. Would the suggestion from @quinncomendant work for you and you inject in phantom tokens that are typically in your env.