From 64b9bf8d0cea05170b07137712056547384764b5 Mon Sep 17 00:00:00 2001
From: Richard Feldman <oss@rtfeldman.com>
Date: Mon, 9 Mar 2026 23:06:09 -0700
Subject: [PATCH] Grant full access to /proc/self on Linux for process
 substitution

Bash process substitution (e.g. <(command)) creates FIFOs under
/proc/self/fd/ that need write access. Change from fs_read() to fs_all()
so these FIFOs can be written to by the shell.
---
 crates/sandbox/src/sandbox_linux.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/sandbox/src/sandbox_linux.rs b/crates/sandbox/src/sandbox_linux.rs
index 61c31a1b9cb928ec814366d2ac3526e24940130f..97d4d36efe8272961f0e72a7f8be24bbdec15e0a 100644
--- a/crates/sandbox/src/sandbox_linux.rs
+++ b/crates/sandbox/src/sandbox_linux.rs
@@ -125,7 +125,7 @@ pub fn apply_sandbox(config: &SandboxConfig) -> Result<()> {
         }
         let proc_self = Path::new("/proc/self");
         if proc_self.exists() {
-            ruleset = add_path_rule(ruleset, proc_self, fs_read())
+            ruleset = add_path_rule(ruleset, proc_self, fs_all())
                 .map_err(|e| Error::other(format!("landlock /proc/self rule: {e}")))?;
         }
     }