fix: use wildcard in allowLocalBinding seatbelt rules for IPv6 dual-stack compatibility#127
Merged
dylan-conway merged 2 commits intomainfrom Feb 10, 2026
Merged
Conversation
…tack compatibility Modern runtimes like Java create IPv6 dual-stack sockets by default. When binding such a socket to 127.0.0.1, the kernel represents the address as ::ffff:127.0.0.1 (IPv4-mapped IPv6). macOS Seatbelt's "localhost" filter only matches 127.0.0.1 and ::1, not the IPv4-mapped variant, causing bind() to fail with EPERM. Seatbelt only supports two host values in IP filters: "localhost" and "*". Since we can't specify ::ffff:127.0.0.1 explicitly, change to (local ip "*:*"). This is safe because the (local ip) filter matches the LOCAL endpoint of connections — internet-bound traffic originates from non-loopback interfaces, so it remains blocked by the (deny default) rule. Fixes: anthropics/claude-code#18545
ddworken
approved these changes
Feb 10, 2026
Collaborator
ddworken
left a comment
ddworken
left a comment
There was a problem hiding this comment.
If it is practical, it would be cool to add some tests for this!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Gradle builds fail in sandbox mode with
allowLocalBinding: truebecause the Gradle daemon cannot bind to TCP localhost:Root Cause
Modern Java (and other runtimes) create IPv6 dual-stack sockets by default via
ServerSocketChannel.open(). When binding such a socket to127.0.0.1, the kernel internally represents the address as::ffff:127.0.0.1(IPv4-mapped IPv6 address).macOS Seatbelt's
(local ip "localhost:*")filter resolveslocalhostto127.0.0.1and::1, but does not match::ffff:127.0.0.1. Seatbelt only supports two host values in IP filters:localhostand*— there is no way to specify::ffff:127.0.0.1explicitly.localhost?127.0.0.1127.0.0.1127.0.0.1::ffff:127.0.0.1::1::1Fix
Change the seatbelt rules from
(local ip "localhost:*")to(local ip "*:*").Safety Analysis
Tested via
sandbox-exec—(local ip "localhost:*")is already more permissive than its name suggests. It allows binding, listening, inbound, and outbound on all local addresses, not just loopback:localhost:**:*127.0.0.10.0.0.0::1/::::ffff:127.0.0.1::ffff:<LAN_IP>The only new addresses
*:*permits are the::ffff:x.x.x.x(IPv4-mapped IPv6) family. These are equivalent to their unmapped counterparts — every operation achievable via::ffff:<addr>can already be done via<addr>directly underlocalhost:*. The change grants no new network capability.Verified via
sandbox-exectesting:allowLocalBinding: blockedFixes: anthropics/claude-code#18545