github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 09:22:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sandbox): same fix for browser.ts - make /workspace bind mount read-only when workspaceAccess is not rw

Browse Source 
The identical buggy logic from docker.ts also exists in browser.ts.
Applying the same fix here.
This commit is contained in:
Evan
2026-03-02 22:33:07 +00:00
committed by Peter Steinberger
parent 903e4dff35
commit 7cbcbbc642
1 changed files with 1 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/agents/sandbox/browser.ts
View File

@@ -237,10 +237,7 @@ export async function ensureSandboxBrowser(params: {
includeBinds: false, includeBinds: false,
bindSourceRoots: [params.workspaceDir, params.agentWorkspaceDir], bindSourceRoots: [params.workspaceDir, params.agentWorkspaceDir],
}); });
const mainMountSuffix = const mainMountSuffix = params.cfg.workspaceAccess === "rw" ? "" : ":ro";
params.cfg.workspaceAccess === "ro" && params.workspaceDir === params.agentWorkspaceDir
? ":ro"
: "";
args.push("-v", `${params.workspaceDir}:${params.cfg.docker.workdir}${mainMountSuffix}`); args.push("-v", `${params.workspaceDir}:${params.cfg.docker.workdir}${mainMountSuffix}`);
if (params.cfg.workspaceAccess !== "none" && params.workspaceDir !== params.agentWorkspaceDir) { if (params.cfg.workspaceAccess !== "none" && params.workspaceDir !== params.agentWorkspaceDir) {
const agentMountSuffix = params.cfg.workspaceAccess === "ro" ? ":ro" : ""; const agentMountSuffix = params.cfg.workspaceAccess === "ro" ? ":ro" : "";