tiennm99/goclaw
1
0
Fork 0
mirror of https://github.com/tiennm99/goclaw.git synced 2026-06-10 00:13:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
goclaw/docker-compose.sandbox.yml
T
viettranx 484d434f6c fix(security): harden sandbox, auth, and shell deny patterns 
Sandbox: add noexec/nosuid/nodev to tmpfs mounts, remove SETUID/SETGID/CHOWN
caps, add PidsLimit 256 default, keep no-new-privileges from base.

Auth: reject X-GoClaw-User-Id header spoofing in dev mode (no gateway token),
use full 32-byte HMAC for file tokens instead of truncated 16-byte.

Shell: add NFKC Unicode normalization + zero-width character stripping before
deny pattern matching, add 5 export-prefixed env var deny patterns, fix
exemption logic to check per-argument prefix instead of whole-command substring
(prevents bypass via comments while preserving skill store access).
2026-04-02 18:58:24 +07:00

39 lines
1.4 KiB
YAML
Raw Permalink Blame History

# Sandbox overlay — enables Docker-based sandbox for agent code execution.
#
# Prerequisites:
# 1. Build the sandbox image: docker build -t goclaw-sandbox:bookworm-slim -f Dockerfile.sandbox .
# 2. Ensure Docker socket is accessible (required for container orchestration)
#
# Usage:
# docker compose -f docker-compose.yml -f docker-compose.sandbox.yml up
#
# SECURITY WARNING: This overlay mounts the Docker socket, giving the container
# control over host Docker. Deploy only behind a trusted network boundary.
# For maximum isolation, consider using Docker-in-Docker (dind) or Sysbox instead.
services:
goclaw:
build:
args:
ENABLE_SANDBOX: "true"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- GOCLAW_SANDBOX_MODE=all
- GOCLAW_SANDBOX_IMAGE=goclaw-sandbox:bookworm-slim
- GOCLAW_SANDBOX_WORKSPACE_ACCESS=rw
- GOCLAW_SANDBOX_SCOPE=session
- GOCLAW_SANDBOX_MEMORY_MB=512
- GOCLAW_SANDBOX_CPUS=1.0
- GOCLAW_SANDBOX_TIMEOUT_SEC=300
- GOCLAW_SANDBOX_NETWORK=false
# Docker socket requires overriding base cap_drop to allow container orchestration.
# Keep security_opt (no-new-privileges) from base — do NOT clear it.
# Only add the minimum cap needed: NET_BIND_SERVICE for port binding.
# SETUID/SETGID/CHOWN removed to prevent privilege escalation.
cap_drop: []
cap_add:
- NET_BIND_SERVICE
group_add:
- ${DOCKER_GID:-999}
Reference in New Issue View Git Blame Copy Permalink