Policy Schema Reference#
Complete field reference for the sandbox policy YAML. Each field is documented with its type, whether it is required, and whether it is static (locked at sandbox creation) or dynamic (hot-reloadable on a running sandbox).
Top-Level Structure#
A policy YAML file contains the following top-level fields:
version: 1
filesystem_policy: { ... }
landlock: { ... }
process: { ... }
network_policies: { ... }
Field |
Type |
Required |
Category |
Description |
|---|---|---|---|---|
|
integer |
Yes |
– |
Policy schema version. Must be |
|
object |
No |
Static |
Controls which directories the agent can read and write. |
|
object |
No |
Static |
Configures Landlock LSM enforcement behavior. |
|
object |
No |
Static |
Sets the user and group the agent process runs as. |
|
map |
No |
Dynamic |
Declares which binaries can reach which network endpoints. |
Static fields are set at sandbox creation time. Changing them requires destroying and recreating the sandbox. Dynamic fields can be updated on a running sandbox with openshell policy set and take effect without restarting.
Version#
The version field identifies which schema the policy uses:
Field |
Type |
Required |
Description |
|---|---|---|---|
|
integer |
Yes |
Schema version number. Currently must be |
Filesystem Policy#
Category: Static
Controls filesystem access inside the sandbox. Paths not listed in either read_only or read_write are inaccessible.
Field |
Type |
Required |
Description |
|---|---|---|---|
|
bool |
No |
When |
|
list of strings |
No |
Paths the agent can read but not modify. Typically system directories like |
|
list of strings |
No |
Paths the agent can read and write. Typically |
Validation constraints:
Every path must be absolute (start with
/).Paths must not contain
..traversal components. The server normalizes paths before storage, but rejects policies where traversal would escape the intended scope.Read-write paths must not be overly broad (for example,
/alone is rejected).Each individual path must not exceed 4096 characters.
The combined total of
read_onlyandread_writepaths must not exceed 256.
Policies that violate these constraints are rejected with INVALID_ARGUMENT at creation or update time. Disk-loaded YAML policies that fail validation fall back to a restrictive default.
Example:
filesystem_policy:
include_workdir: true
read_only:
- /usr
- /lib
- /proc
- /dev/urandom
- /etc
read_write:
- /sandbox
- /tmp
- /dev/null
Landlock#
Category: Static
Configures Landlock LSM enforcement at the kernel level. Landlock provides mandatory filesystem access control below what UNIX permissions allow.
Field |
Type |
Required |
Values |
Description |
|---|---|---|---|---|
|
string |
No |
|
How OpenShell handles kernel ABI differences. |
Example:
landlock:
compatibility: best_effort
Process#
Category: Static
Sets the OS-level identity for the agent process inside the sandbox.
Field |
Type |
Required |
Description |
|---|---|---|---|
|
string |
No |
The user name or UID the agent process runs as. Default: |
|
string |
No |
The group name or GID the agent process runs as. Default: |
Validation constraint: Neither run_as_user nor run_as_group may be set to root or 0. Policies that request root process identity are rejected at creation or update time.
Example:
process:
run_as_user: sandbox
run_as_group: sandbox
Network Policies#
Category: Dynamic
A map of named network policy entries. Each entry declares a set of endpoints and a set of binaries. Only the listed binaries are permitted to connect to the listed endpoints. The map key is a logical identifier. The name field inside the entry is the display name used in logs.
Network Policy Entry#
Each entry in the network_policies map has the following fields:
Field |
Type |
Required |
Description |
|---|---|---|---|
|
string |
No |
Display name for the policy entry. Used in log output. Defaults to the map key. |
|
list of endpoint objects |
Yes |
Hosts and ports this entry permits. |
|
list of binary objects |
Yes |
Executables allowed to connect to these endpoints. |
Endpoint Object#
Each endpoint defines a reachable destination and optional inspection rules.
Field |
Type |
Required |
Description |
|---|---|---|---|
|
string |
Yes |
Hostname or IP address. Supports wildcards: |
|
integer |
Yes |
TCP port number. |
|
string |
No |
Set to |
|
string |
No |
TLS handling mode. |
|
string |
No |
|
|
string |
No |
HTTP access level. One of |
|
list of rule objects |
No |
Fine-grained per-method, per-path allow rules. Mutually exclusive with |
Access Levels#
The access field accepts one of the following values:
Value |
Allowed HTTP Methods |
|---|---|
|
All methods and paths. |
|
|
|
|
Rule Object#
Used when access is not set. Each rule explicitly allows a method and path combination.
Field |
Type |
Required |
Description |
|---|---|---|---|
|
string |
Yes |
HTTP method to allow (for example, |
|
string |
Yes |
URL path pattern. Supports |
Example with rules:
rules:
- allow:
method: GET
path: /**/info/refs*
- allow:
method: POST
path: /**/git-upload-pack
Binary Object#
Identifies an executable that is permitted to use the associated endpoints.
Field |
Type |
Required |
Description |
|---|---|---|---|
|
string |
Yes |
Filesystem path to the executable. Supports glob patterns with |
Full Example#
The following policy grants read-only GitHub API access and npm registry access:
network_policies:
github_rest_api:
name: github-rest-api
endpoints:
- host: api.github.com
port: 443
protocol: rest
tls: terminate
enforcement: enforce
access: read-only
binaries:
- path: /usr/local/bin/claude
- path: /usr/bin/node
- path: /usr/bin/gh
npm_registry:
name: npm-registry
endpoints:
- host: registry.npmjs.org
port: 443
binaries:
- path: /usr/bin/npm
- path: /usr/bin/node