github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 12:07:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(sandbox): block container namespace joins by default

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 23:19:48 +00:00
parent ccbeb332e0
commit 14b6eea6e3
17 changed files with 253 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/security/audit.test.ts
View File

@@ -855,6 +855,31 @@ describe("security audit", () => {
);
});
it("flags container namespace join network mode in sandbox config", async () => {
const cfg: OpenClawConfig = {
agents: {
defaults: {
sandbox: {
mode: "all",
docker: {
network: "container:peer",
},
},
},
},
};
const res = await audit(cfg);
expect(res.findings).toEqual(
expect.arrayContaining([
expect.objectContaining({
checkId: "sandbox.dangerous_network_mode",
severity: "critical",
title: "Dangerous network mode in sandbox config",
}),
]),
);
});
it("checks sandbox browser bridge-network restrictions", async () => {
const cases: Array<{
name: string;