github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 11:27:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden sandbox docker config validation

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 03:03:55 +01:00
parent d4bdcda324
commit 887b209db4
11 changed files with 691 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/agents/sandbox/docker.ts
View File

@@ -111,6 +111,7 @@ import { computeSandboxConfigHash } from "./config-hash.js";
import { DEFAULT_SANDBOX_IMAGE, SANDBOX_AGENT_WORKSPACE_MOUNT } from "./constants.js";
import { readRegistry, updateRegistry } from "./registry.js";
import { resolveSandboxAgentId, resolveSandboxScopeKey, slugifySessionKey } from "./shared.js";
import { validateSandboxSecurity } from "./validate-sandbox-security.js";
const HOT_CONTAINER_WINDOW_MS = 5 * 60 * 1000;
@@ -240,6 +241,9 @@ export function buildSandboxCreateArgs(params: {
labels?: Record<string, string>;
configHash?: string;
}) {
// Runtime security validation: blocks dangerous bind mounts, network modes, and profiles.
validateSandboxSecurity(params.cfg);
const createdAtMs = params.createdAtMs ?? Date.now();
const args = ["create", "--name", params.name];
args.push("--label", "openclaw.sandbox=1");