let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(security): explain sandboxing options

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-06 18:23:53 +01:00
parent 94e300fde5
commit 8d9b2208d5
3 changed files with 49 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/configuration.md
View File

@@ -736,7 +736,7 @@ Defaults (if enabled):
- Debian bookworm-slim based image
- workspace per session under `~/.clawdbot/sandboxes`
- auto-prune: idle > 24h OR age > 7d
- tools: allow only `bash`, `process`, `read`, `write`, `edit` (deny wins)
- tools: allow only `bash`, `process`, `read`, `write`, `edit`, `sessions_list`, `sessions_history`, `sessions_send`, `sessions_spawn` (deny wins)
- optional sandboxed browser (Chromium + CDP, noVNC observer)
- hardening knobs: `network`, `user`, `pidsLimit`, `memory`, `cpus`, `ulimits`, `seccompProfile`, `apparmorProfile`
@@ -782,7 +782,7 @@ Defaults (if enabled):
enableNoVnc: true
},
tools: {
allow: ["bash", "process", "read", "write", "edit"],
allow: ["bash", "process", "read", "write", "edit", "sessions_list", "sessions_history", "sessions_send", "sessions_spawn"],
deny: ["browser", "canvas", "nodes", "cron", "discord", "gateway"]
},
prune: {