From 1b6704ef53257f892c9220f5115d303d5a7185fd Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Mon, 16 Feb 2026 03:05:16 +0100 Subject: [PATCH] docs: update sandbox bind mount guidance --- docs/channels/groups.md | 2 +- docs/gateway/sandboxing.md | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/channels/groups.md b/docs/channels/groups.md index 1b3fb0394a3..6bd278846c5 100644 --- a/docs/channels/groups.md +++ b/docs/channels/groups.md @@ -105,7 +105,7 @@ Want “groups can only see folder X” instead of “no host access”? Keep `w docker: { binds: [ // hostPath:containerPath:mode - "~/FriendsShared:/data:ro", + "/home/user/FriendsShared:/data:ro", ], }, }, diff --git a/docs/gateway/sandboxing.md b/docs/gateway/sandboxing.md index fe653e82d2a..fe27d2c51ad 100644 --- a/docs/gateway/sandboxing.md +++ b/docs/gateway/sandboxing.md @@ -76,7 +76,7 @@ Global and per-agent binds are **merged** (not replaced). Under `scope: "shared" - When set (including `[]`), it replaces `agents.defaults.sandbox.docker.binds` for the browser container. - When omitted, the browser container falls back to `agents.defaults.sandbox.docker.binds` (backwards compatible). -Example (read-only source + docker socket): +Example (read-only source + an extra data directory): ```json5 { @@ -84,7 +84,7 @@ Example (read-only source + docker socket): defaults: { sandbox: { docker: { - binds: ["/home/user/source:/source:ro", "/var/run/docker.sock:/var/run/docker.sock"], + binds: ["/home/user/source:/source:ro", "/var/data/myapp:/data:ro"], }, }, }, @@ -105,7 +105,8 @@ Example (read-only source + docker socket): Security notes: - Binds bypass the sandbox filesystem: they expose host paths with whatever mode you set (`:ro` or `:rw`). -- Sensitive mounts (e.g., `docker.sock`, secrets, SSH keys) should be `:ro` unless absolutely required. +- OpenClaw blocks dangerous bind sources (for example: `docker.sock`, `/etc`, `/proc`, `/sys`, `/dev`, and parent mounts that would expose them). +- Sensitive mounts (secrets, SSH keys, service credentials) should be `:ro` unless absolutely required. - Combine with `workspaceAccess: "ro"` if you only need read access to the workspace; bind modes stay independent. - See [Sandbox vs Tool Policy vs Elevated](/gateway/sandbox-vs-tool-policy-vs-elevated) for how binds interact with tool policy and elevated exec.