Fence configuration

Configuration file for fence, a lightweight, container-free sandbox for running commands with network and filesystem restrictions

Type object
File match fence.json
Schema URL https://catalog.lintel.tools/schemas/schemastore/fence-configuration/latest.json
Source https://raw.githubusercontent.com/Use-Tusk/fence/refs/heads/main/docs/schema/fence.schema.json

Validate with Lintel

npx @lintel/lintel check
Type: object

Properties

$schema string
format=uri
allowPty boolean

Allow the sandboxed process to allocate a pseudo-terminal (PTY). Required for interactive programs that need terminal control (e.g. vim, less, top).

command object

Command execution restrictions. Controls which commands are blocked or allowed at preflight and runtime.

5 nested properties
acceptSharedBinaryCannotRuntimeDeny string[]

Commands for which the shared-binary skip warning is silenced. Add a command here after investigating a collision and accepting that it cannot be blocked on this system.

allow string[]

Commands that override a matching deny rule. Use to carve out specific exceptions from a broad deny pattern (e.g. allow "git push origin docs" when "git push" is denied).

deny string[]

Commands or command prefixes the sandbox will refuse to run. Matched at preflight and, depending on runtimeExecPolicy, at runtime for child execs.

runtimeExecPolicy string

Runtime child-process exec enforcement mode. "path" (default) uses executable-path masking for single-token denies. "argv" enables Linux-only argv-aware exec interception for child processes.

Values: "path" "argv"
useDefaults boolean | null

Whether to include the built-in default deny list (shutdown, reboot, insmod, mkfs, etc.). Defaults to true when omitted. Set to false to manage the deny list entirely yourself.

devices object
2 nested properties
allow string[]
mode string
Values: "auto" "minimal" "host"
extends string

Path or built-in template name to inherit base settings from (e.g. "code" or "./base.json"). Settings in this file are merged on top of the extended config.

filesystem object

Filesystem access restrictions. Controls which paths may be read, written, or executed inside the sandbox.

8 nested properties
allowExecute string[]

Paths the sandbox may execute (grants read and execute permission, but not directory listing). Use for binaries that must be reachable but whose parent directories should not be browsable.

allowGitConfig boolean

If true, allow read access to ~/.gitconfig and ~/.config/git. Enable when git operations inside the sandbox need the user's identity or settings.

allowRead string[]

Additional filesystem paths the sandbox may read. Accepts absolute paths and glob patterns.

allowWrite string[]

Filesystem paths the sandbox may write to. Accepts absolute paths and glob patterns.

defaultDenyRead boolean

If true, deny all filesystem reads by default. Only paths listed in allowRead (and essential system paths) remain readable. Use for strict read isolation.

denyRead string[]

Paths explicitly blocked from reading, even if they would otherwise be permitted by allowRead or system defaults.

denyWrite string[]

Paths explicitly blocked from writing, even if they would otherwise be permitted by allowWrite.

wslInterop boolean | null

Controls access to the WSL interop binary on Windows Subsystem for Linux. If omitted, auto-detected: WSL environments allow /init, non-WSL environments do not.

forceNewSession boolean | null
network object

Network access restrictions. Controls which domains the sandbox may connect to and how local networking is handled.

8 nested properties
allowAllUnixSockets boolean

If true, allow connections to any Unix socket path. Overrides allowUnixSockets.

allowLocalBinding boolean

Allow the sandbox to bind to local network ports. Enable this when the sandboxed process needs to run a local server.

allowLocalOutbound boolean | null

Allow outbound connections to localhost and loopback addresses. If omitted, inherits the value of allowLocalBinding.

allowUnixSockets string[]

Unix socket paths the sandbox may connect to (e.g. /var/run/docker.sock).

allowedDomains string[]

Domains the sandbox may connect to. Supports wildcards (e.g. .example.com). Use "" to allow all outbound connections. If empty, all outbound connections are blocked.

deniedDomains string[]

Domains explicitly blocked even if they match allowedDomains. Evaluated before allowedDomains.

httpProxyPort integer

Port for the internal HTTP proxy used to enforce domain filtering. Set automatically by fence; only override for advanced configurations.

socksProxyPort integer

Port for the internal SOCKS proxy used to enforce domain filtering. Set automatically by fence; only override for advanced configurations.

ssh object

SSH command and host restrictions. Applies only to ssh invocations; does not affect other network access.

6 nested properties
allowAllCommands boolean

If true, switch SSH command filtering to denylist mode: all remote commands are permitted except those in deniedCommands. When false (the default), allowedCommands acts as an allowlist.

allowedCommands string[]

Commands permitted over SSH (allowlist mode). Only the listed commands may be executed on remote hosts. An empty list allows interactive sessions only.

allowedHosts string[]

Host patterns the sandbox may SSH to. Supports wildcards (e.g. .example.com, prod-). SSH connections to hosts not matching any pattern are blocked.

deniedCommands string[]

Commands blocked over SSH (denylist mode). Only meaningful when allowAllCommands is true.

deniedHosts string[]

Host patterns explicitly blocked for SSH, even if they match allowedHosts. Evaluated before allowedHosts.

inheritDeny boolean

If true, also apply the global command.deny rules to SSH remote commands.