spec:
# Command execution policies
commands:
allow:
- pattern: "<regex>" # Rust regex syntax
deny:
- pattern: "<regex>" # Deny takes precedence over allow
# Filesystem access policies
filesystem:
allow:
- path: "<absolute-path>"
deny:
- path: "<absolute-path>"
# Resource limits
resources:
maxOutputBytes: 10485760 # Max stdout+stderr (bytes)
timeoutSeconds: 300 # Max execution time (seconds)
- Deny-by-default: If no
allow rule matches, the action is denied
- Deny wins: If both
allow and deny match, deny takes precedence
- Regex matching: Command patterns use Rust regex syntax
- Path resolution: Symlinks are resolved before policy checks
- Immutable denies: Some deny rules cannot be overridden (e.g.,
/etc/shadow)
spec:
commands:
allow:
- pattern: "^systemctl (status|restart|reload) nginx"
- pattern: "^journalctl -u nginx.*"
- pattern: "^cat /var/log/nginx/.*"
- pattern: "^nginx -t"
deny:
- pattern: ".*rm.*-rf.*"
filesystem:
allow:
- path: /etc/nginx
- path: /var/log/nginx
deny:
- path: /etc/nginx/ssl
resources:
maxOutputBytes: 5242880
timeoutSeconds: 60
spec:
commands:
allow:
- pattern: "^systemctl status .*"
- pattern: "^df -h"
- pattern: "^free -m"
- pattern: "^uptime"
- pattern: "^cat /proc/(meminfo|cpuinfo|loadavg)"
filesystem:
allow:
- path: /var/log
deny:
- path: /var/log/audit
resources:
maxOutputBytes: 1048576
timeoutSeconds: 30
spec:
commands:
allow: []
deny:
- pattern: ".*"
filesystem:
allow: []
deny:
- path: /
resources:
maxOutputBytes: 0
timeoutSeconds: 0