let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add docker bind mounds for sandboxing

Browse Source
This commit is contained in:
Aaron Konyer
2026-01-12 10:13:32 -07:00
committed by Peter Steinberger
parent 5d83be76c9
commit 0b2b8c7c52
7 changed files with 11225 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/gateway/configuration.md
View File

@@ -1606,7 +1606,8 @@ Legacy: `perSession` is still supported (`true` → `scope: "session"`,
seccompProfile: "/path/to/seccomp.json",
apparmorProfile: "clawdbot-sandbox",
dns: ["1.1.1.1", "8.8.8.8"],
extraHosts: ["internal.service:10.0.0.5"]
extraHosts: ["internal.service:10.0.0.5"],
binds: ["/var/run/docker.sock:/var/run/docker.sock", "/home/user/source:/source:rw"]
},
browser: {
enabled: false,
@@ -1652,6 +1653,8 @@ to `"bridge"` (or your custom network) if the agent needs outbound access.
Note: inbound attachments are staged into the active workspace at `media/inbound/*`. With `workspaceAccess: "rw"`, that means files are written into the agent workspace.
Note: `docker.binds` mounts additional host directories; global and per-agent binds are merged.
Build the optional browser image with:
```bash
scripts/sandbox-browser-setup.sh