github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-18 20:57:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Exec: fail closed when sandbox host is unavailable

Browse Source
This commit is contained in:
Brian Mendonca
2026-02-22 01:49:10 -07:00
committed by Peter Steinberger
parent 5a0032de3e
commit c76a47cce2
4 changed files with 65 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/tools/exec.md
View File

@@ -29,7 +29,7 @@ Background sessions are scoped per agent; `process` only sees sessions from the
Notes:
- `host` defaults to `sandbox`.
- `host` defaults to `sandbox` when sandbox runtime is active, and defaults to `gateway` otherwise.
- `elevated` is ignored when sandboxing is off (exec already runs on the host).
- `gateway`/`node` approvals are controlled by `~/.openclaw/exec-approvals.json`.
- `node` requires a paired node (companion app or headless node host).
@@ -38,9 +38,9 @@ Notes:
from `PATH` to avoid fish-incompatible scripts, then falls back to `SHELL` if neither exists.
- Host execution (`gateway`/`node`) rejects `env.PATH` and loader overrides (`LD_*`/`DYLD_*`) to
prevent binary hijacking or injected code.
- Important: sandboxing is **off by default**. If sandboxing is off, `host=sandbox` runs directly on
the gateway host (no container) and **does not require approvals**. To require approvals, run with
`host=gateway` and configure exec approvals (or enable sandboxing).
- Important: sandboxing is **off by default**. If sandboxing is off and `host=sandbox` is explicitly
configured/requested, exec now fails closed instead of silently running on the gateway host.
Enable sandboxing or use `host=gateway` with approvals.
- Script preflight checks (for common Python/Node shell-syntax mistakes) only inspect files inside the
effective `workdir` boundary. If a script path resolves outside `workdir`, preflight is skipped for
that file.