github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-25 03:08:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(sandbox): block container namespace joins by default

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 23:19:48 +00:00
parent ccbeb332e0
commit 14b6eea6e3
17 changed files with 253 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
src/config/config.sandbox-docker.test.ts
View File

@@ -53,6 +53,37 @@ describe("sandbox docker config", () => {
expect(res.ok).toBe(false);
});
it("rejects container namespace join by default", () => {
const res = validateConfigObject({
agents: {
defaults: {
sandbox: {
docker: {
network: "container:peer",
},
},
},
},
});
expect(res.ok).toBe(false);
});
it("allows container namespace join with explicit dangerous override", () => {
const res = validateConfigObject({
agents: {
defaults: {
sandbox: {
docker: {
network: "container:peer",
dangerouslyAllowContainerNamespaceJoin: true,
},
},
},
},
});
expect(res.ok).toBe(true);
});
it("rejects seccomp unconfined via Zod schema validation", () => {
const res = validateConfigObject({
agents: {
@@ -219,4 +250,37 @@ describe("sandbox browser binds config", () => {
});
expect(res.ok).toBe(false);
});
it("rejects container namespace join in sandbox.browser config by default", () => {
const res = validateConfigObject({
agents: {
defaults: {
sandbox: {
browser: {
network: "container:peer",
},
},
},
},
});
expect(res.ok).toBe(false);
});
it("allows container namespace join in sandbox.browser config with explicit dangerous override", () => {
const res = validateConfigObject({
agents: {
defaults: {
sandbox: {
docker: {
dangerouslyAllowContainerNamespaceJoin: true,
},
browser: {
network: "container:peer",
},
},
},
},
});
expect(res.ok).toBe(true);
});
});