sandbox: keep workspaceAccess none workspaces writable

[whyuds]

Summary

When agents.defaults.sandbox.workspaceAccess is set to "none", OpenClaw gives each sandboxed session its own isolated workspace under ~/.openclaw/sandboxes/..., which matches the expected isolation model. However, that isolated /workspace ends up mounted read-only, so tools that need to write inside the sandbox workspace stop working.

This makes "none" behave closer to "ro" in practice, even though the agent workspace is still intentionally hidden.

Expected behavior

workspaceAccess: "none" should mean:

• the main agent workspace is not mounted into the sandbox
• each sandboxed session gets an isolated workspace under ~/.openclaw/sandboxes/...
• that isolated sandbox workspace is writable

Actual behavior

Inside the sandbox, /workspace is mounted from the per-session sandbox workspace, but it is read-only:

/workspace <- /home/whyuds/.openclaw/sandboxes/agent-main-feishu-direct-ou_83bb-2d8ddca6 (rw=false)

As a result, many tools that rely on writing into the sandbox workspace cannot be used when workspaceAccess is "none".

Why this seems like a regression

This appears related to commit 903e4dff3 (fix(sandbox): make /workspace bind mount read-only when workspaceAccess is not rw).

That change made /workspace read-only for both "ro" and "none":

• rw: /workspace writable
• ro: /workspace read-only
• none: /workspace read-only

But for "none", /workspace points at the isolated sandbox workspace rather than the main agent workspace, so making it read-only breaks the expected isolated-but-writable workflow.

Reproduction

1. Configure sandboxing so the session is sandboxed and workspaceAccess is "none"
2. Start a sandboxed session
3. Inspect the sandbox mounts or try any tool that writes to /workspace
4. Observe that /workspace is backed by ~/.openclaw/sandboxes/... but is read-only

Suggested direction

Keep workspaceAccess: "none" isolated from the main agent workspace, but make the isolated sandbox /workspace writable. Only workspaceAccess: "ro" should force /workspace read-only.

Related fix PR: #37276

[whyuds]

Additional impact note:

This is not just a minor sandbox ergonomics issue. In practice, once workspaceAccess: "none" makes the isolated sandbox workspace read-only, almost all skills that need any filesystem I/O start failing.

In my case, versions before 3.2 behaved as expected, but after upgrading, skills became nearly unusable because they could no longer read/write temp state, outputs, caches, or intermediate files inside the sandbox workspace.

So the regression impact is much broader than just /workspace permissions: it effectively breaks most I/O-heavy skills after upgrade.

[Sid-Qin]

Submitted a fix in PR #38154. Changed the mount suffix, writable flag, and allowsWrites check to only restrict writes for "ro", not "none". The isolated workspace is now writable when workspaceAccess: "none".

[zhiyudangchu]

I have also noticed this issue. Since the sandbox has its own independent workspace, it should be allowed to read and write within its own workspace, otherwise mounting this workspace will be meaningless. If configured in RW mode, all agents will share the same workspace, which undermines isolation. I don't know the significance of this design

[jaredaibot1]

Same issue for me here

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[Joris-p]

Will this issue be fixed ?

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 11, 2026, 7:41 AM ET / 11:41 UTC.

Summary
Current main and the latest release still make workspaceAccess: "none" read-only at the Docker mount and filesystem-bridge layers, so the reported problem remains; it should stay open because changing it now is a sandbox security/product decision that must preserve the later skill-root read-only hardening.

Reproducibility: yes. source-level. Current main mounts and resolves the none sandbox workspace as read-only in Docker, local bridge, and remote bridge paths, and tests still expect that behavior.

Next step
Not safe for an automated fix lane until maintainers approve whether none should be isolated-writable or remain read-restricted after the skill-root hardening work.

Security
Needs attention: The issue is security-sensitive because making none writable changes a sandbox write boundary and must not reopen skill-instruction tampering.

Review details

Best possible solution:

Sandbox/security maintainers should explicitly define the none contract; if it becomes isolated-but-writable, implement it consistently across mounts, bridges, tool gating, docs, and tests while preserving read-only skill-root overlays.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level. Current main mounts and resolves the none sandbox workspace as read-only in Docker, local bridge, and remote bridge paths, and tests still expect that behavior.

Is this the best way to solve the issue?

Unclear until maintainers decide the sandbox policy. The requested isolated-writable direction is plausible, but the best fix must preserve the later read-only skill-root hardening and align every backend rather than only flipping one mount flag.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• A coarse writable-none change can make mirrored or materialized skill instruction roots writable unless nested read-only skill protection is extended to this mode.
• Docker/browser mounts, local and remote filesystem bridges, tool exposure, memory-flush behavior, tests, and docs currently disagree with the requested semantics and need one explicit contract.
• Open related work such as fix: gate sandbox write tools on writable workspace access #73385 points toward hiding write tools for none, so maintainers need to choose the intended product/security direction before implementation.

Codex review notes: model internal, reasoning high; reviewed against cdb55b3edb37.

Label changes

Label justifications:

• P1: The issue reports a regression that blocks filesystem-dependent sandboxed skills and tools for multiple users in the default isolated workspace mode.
• impact:security: The remaining decision changes a sandbox write boundary and must preserve instruction-root immutability.
• impact:session-state: The read-only isolated workspace prevents normal per-session files, outputs, caches, and other sandbox-local state from being written.

Evidence reviewed

Security concerns:

• [high] Preserve protected skill roots in writable none mode — src/agents/sandbox/workspace-mounts.ts:74
resolveReadOnlyWorkspaceSkillMounts currently returns no protected skill mounts unless workspaceAccess is rw; making /workspace writable for none without extending this policy could make copied skill instructions writable.
  Confidence: 0.93
• [medium] Keep backend and bridge write policy consistent — src/agents/sandbox/fs-bridge.ts:300
  Current local and remote bridge policies only allow writes for rw; a partial fix could leave tools, Docker mounts, and remote execution enforcing different boundaries.
  Confidence: 0.88

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/sandbox/workspace-mounts.test.ts src/agents/sandbox/fs-paths.test.ts src/agents/sandbox/fs-bridge.test.ts src/agents/sandbox/remote-fs-bridge.test.ts src/agents/sandbox/workspace-skills-bridge-readonly.test.ts src/agents/agent-tools.create-openclaw-coding-tools.test.ts src/auto-reply/reply/agent-runner-memory.test.ts
• Redacted Docker sandbox smoke proving workspaceAccess: "none" writes normal isolated workspace files, cannot access the host agent workspace, and keeps existing skill roots read-only.

What I checked:

• Current Docker mount still treats none as read-only: appendWorkspaceMountArgs formats the primary sandbox workspace bind with readOnly: workspaceAccess !== "rw", so both ro and none produce read-only /workspace mounts on current main. (src/agents/sandbox/workspace-mounts.ts:156, cdb55b3edb37)
• Current local filesystem bridge still blocks none writes: buildSandboxFsMounts marks the workspace mount writable only when workspaceAccess === "rw", and allowsWrites also returns true only for rw, so file-tool writes under none fail even when the path resolves inside the sandbox workspace. (src/agents/sandbox/fs-paths.ts:74, cdb55b3edb37)
• Current remote filesystem bridge follows the same read-only rule: The remote bridge marks the workspace mount writable only for rw and rejects mutations when workspaceAccess !== "rw", so a fix must cover remote policy too. (src/agents/sandbox/remote-fs-bridge.ts:280, cdb55b3edb37)
• Current tests encode read-only none behavior: The workspace mount tests expect workspaceAccess: "none" to produce /workspace:ro,z, including the isolated sandbox-workspace case. (src/agents/sandbox/workspace-mounts.test.ts:27, cdb55b3edb37)
• Current docs describe ro and none as write-restricted: The sandboxing docs say none shows a sandbox workspace, while the OpenShell section says ro and none restrict write behavior the same way. Public docs: docs/gateway/sandboxing.md. (docs/gateway/sandboxing.md:316, cdb55b3edb37)
• Latest release still has the same behavior: The latest release tag v2026.6.5 contains the same readOnly: workspaceAccess !== "rw" mount rule and allowsWrites only returning true for rw, so this is not just a current-main-only regression. (src/agents/sandbox/workspace-mounts.ts:156, 5181e4f7c82b)

Likely related people:

• Evan: The behavior appears to date to commit 903e4dff35d41af197e550d3bdd0b8511957011f, which explicitly made both ro and none /workspace mounts read-only. (role: read-only workspace policy introducer; confidence: medium; commits: 903e4dff35d4; files: src/agents/sandbox/docker.ts)
• steipete: Peter Steinberger authored/refactored central sandbox mount plumbing and landed the merged skill-root protection that constrains any writable-none fix. (role: recent sandbox security reviewer and merger; confidence: high; commits: 7066d5e192a6, a0f6ce03ce88; files: src/agents/sandbox/workspace-mounts.ts, src/agents/sandbox/fs-paths.ts, src/agents/sandbox/remote-fs-bridge.ts)
• jason-allen-oneal: Authored the merged skill-integrity PR whose read-only skill-root invariant a writable isolated workspace must preserve. (role: recent sandbox security feature author; confidence: high; commits: a0f6ce03ce88; files: src/agents/sandbox/workspace-mounts.ts, src/agents/sandbox/fs-paths.ts, src/agents/sandbox/workspace-skills-bridge-readonly.test.ts)
• vignesh07: Introduced the shared bind-aware filesystem resolver and file-tool bind handling used by the write/read-only bridge policy. (role: filesystem bridge path-policy contributor; confidence: medium; commits: eafda6f52671, 726ff36fd5fa; files: src/agents/sandbox/fs-paths.ts, src/agents/sandbox/fs-bridge.ts)
• neeravmakwana: Authored recent managed workspace mount relabeling in the same Docker bind surface that a writable-none change would touch. (role: adjacent sandbox mount contributor; confidence: medium; commits: 7516b423eb61; files: src/agents/sandbox/workspace-mounts.ts, src/agents/sandbox/docker.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.