fix(sandbox): cover home credential bind audit

2026-04-23 14:45:46 +00:00 · 2026-04-04 20:24:55 +09:00
parent 3ec0463da9
commit 46cb493ac8
2 changed files with 23 additions and 0 deletions
--- a/docs/gateway/sandboxing.md
+++ b/docs/gateway/sandboxing.md
@@ -318,6 +318,7 @@ Security notes:

 - Binds bypass the sandbox filesystem: they expose host paths with whatever mode you set (`:ro` or `:rw`).
 - OpenClaw blocks dangerous bind sources (for example: `docker.sock`, `/etc`, `/proc`, `/sys`, `/dev`, and parent mounts that would expose them).
+- OpenClaw also blocks common home-directory credential roots such as `~/.aws`, `~/.cargo`, `~/.config`, `~/.docker`, `~/.gnupg`, `~/.netrc`, `~/.npm`, and `~/.ssh`.
 - Sensitive mounts (secrets, SSH keys, service credentials) should be `:ro` unless absolutely required.
 - Combine with `workspaceAccess: "ro"` if you only need read access to the workspace; bind modes stay independent.
 - See [Sandbox vs Tool Policy vs Elevated](/gateway/sandbox-vs-tool-policy-vs-elevated) for how binds interact with tool policy and elevated exec.
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -1562,6 +1562,28 @@ describe("security audit", () => {
          { checkId: "sandbox.dangerous_apparmor_profile", severity: "critical" },
        ],
      },
+      {
+        name: "home credential bind is treated as dangerous",
+        cfg: {
+          agents: {
+            defaults: {
+              sandbox: {
+                mode: "all",
+                docker: {
+                  binds: [path.join(isolatedHome, ".docker", "config.json") + ":/mnt/docker:ro"],
+                },
+              },
+            },
+          },
+        } as OpenClawConfig,
+        expectedFindings: [
+          {
+            checkId: "sandbox.dangerous_bind_mount",
+            severity: "critical",
+            title: "Dangerous bind mount in sandbox config",
+          },
+        ],
+      },
      {
        name: "container namespace join network mode",
        cfg: {