docs: clarify sandbox bind mounts (#790)

2026-01-12 22:06:17 +00:00
parent 21405b0dfc
commit 59c8d2d17f
8 changed files with 81 additions and 11 deletions
--- a/docs/gateway/sandboxing.md
+++ b/docs/gateway/sandboxing.md
@@ -62,6 +62,41 @@ Format: `host:container:mode` (e.g., `"/home/user/source:/source:rw"`).

 Global and per-agent binds are **merged** (not replaced). Under `scope: "shared"`, per-agent binds are ignored.

+Example (read-only source + docker socket):
+
+```json5
+{
+  agents: {
+    defaults: {
+      sandbox: {
+        docker: {
+          binds: [
+            "/home/user/source:/source:ro",
+            "/var/run/docker.sock:/var/run/docker.sock"
+          ]
+        }
+      }
+    },
+    list: [
+      {
+        id: "build",
+        sandbox: {
+          docker: {
+            binds: ["/mnt/cache:/cache:rw"]
+          }
+        }
+      }
+    ]
+  }
+}
+```
+
+Security notes:
+- Binds bypass the sandbox filesystem: they expose host paths with whatever mode you set (`:ro` or `:rw`).
+- Sensitive mounts (e.g., `docker.sock`, secrets, SSH keys) should be `:ro` unless absolutely required.
+- Combine with `workspaceAccess: "ro"` if you only need read access to the workspace; bind modes stay independent.
+- See [Sandbox vs Tool Policy vs Elevated](/gateway/sandbox-vs-tool-policy-vs-elevated) for how binds interact with tool policy and elevated exec.
+
 ## Images + setup
 Default image: `clawdbot-sandbox:bookworm-slim`