Validate sandbox bind parent paths [AI]

[mmaps]

Summary

• Validate sandbox bind sources in both path directions, so a bind source that contains a blocked descendant is rejected.
• Keep project-specific parent mounts such as /var/data valid when they do not cover blocked paths.
• Add focused regression coverage for parent bind sources and the Docker create-args validation path.
• AI-assisted.

Linked context

No public issue is linked.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: Docker sandbox bind source validation now rejects parent sources that cover blocked descendants.

• Real environment tested: Local Linux checkout using the actual Docker create-args runtime path plus the repo Vitest wrapper.

• Exact steps or command run after this patch: node --import tsx script importing buildSandboxCreateArgs from src/agents/sandbox/docker.ts, plus node scripts/run-vitest.mjs src/agents/sandbox/validate-sandbox-security.test.ts src/agents/sandbox-create-args.test.ts

• Evidence after fix:

  broad-var-parent: BLOCKED Sandbox security: bind mount "/var:/mnt/var:ro" covers blocked path "/var/run". Mounting system directories, credential paths, or Docker socket paths into sandbox containers is not allowed. Use project-specific paths instead (e.g. /home/user/myproject).
  project-var-data: ALLOWED ["/var/data/myapp:/data:ro"]
  tmp-project: ALLOWED ["/tmp/openclaw-bind-proof-0UVoq1:/data:ro"]
  

• Observed result after fix: The real Docker argument builder rejects a broad parent bind before container creation and still emits -v arguments for narrower project-specific binds.

• What was not tested: Full Docker daemon container startup and broad CI have not completed yet.

• Proof limitations or environment constraints: The real proof covers the runtime validation path that runs immediately before Docker container creation; it does not start a Docker container.

• Before evidence (optional but encouraged): Existing tests allowed /var as a parent source; the updated regression now expects that source to be rejected.

Tests and validation

• node scripts/run-vitest.mjs src/agents/sandbox/validate-sandbox-security.test.ts src/agents/sandbox-create-args.test.ts
• pnpm format:check -- src/agents/sandbox/validate-sandbox-security.ts src/agents/sandbox/validate-sandbox-security.test.ts src/agents/sandbox-create-args.test.ts
• node scripts/run-oxlint.mjs src/agents/sandbox/validate-sandbox-security.ts src/agents/sandbox/validate-sandbox-security.test.ts src/agents/sandbox-create-args.test.ts
• git diff --check

Regression coverage was added for parent sources that cover blocked descendants and for the Docker create-args path that runs sandbox validation.

Risk checklist

• Did user-visible behavior change? Yes
• Did config, environment, or migration behavior change? No
• Did security, auth, secrets, network, or tool execution behavior change? Yes
• Highest-risk area: Existing sandbox configs that bind broad host parent directories may now fail validation.
• Risk mitigation: The change is limited to blocked-path coverage checks, keeps narrower project paths valid, and is covered by focused regression tests.

Current review state

• Next action: Run automated review, private completeness gates, and CI checks.
• Waiting on: Review refresh, post-solve gates, and CI.
• Bot or reviewer comments addressed: Added real Docker create-args behavior proof for the parent-bind rejection and narrow-bind allow case.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 2:27 PM ET / 18:27 UTC.

Summary
The PR changes shared sandbox bind validation to reject host bind sources that cover blocked descendants and adds validator/create-args regression tests.

PR surface: Source +4, Tests +36. Total +40 across 3 files.

Reproducibility: yes. from source inspection: current main only checks whether the source is equal to or under a blocked path, and its tests explicitly allowed /var:/var. The PR updates those expectations to reject parent sources covering blocked descendants.

Review metrics: 1 noteworthy metric.

• Sandbox validation policy: 1 fail-closed parent-bind rule added; 0 config flags added. The change tightens runtime acceptance of existing sandbox bind configs without adding an upgrade switch.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] Existing sandbox or browser configs that bind broad host parents such as /var or a whole home directory can now fail before Docker create instead of starting.
• [P1] The PR body proves the changed pre-create argument builder path, but not a full Docker daemon container startup; that is acceptable for this specific validation path but still leaves broader runtime smoke coverage to CI or maintainer testing.

Maintainer options:

1. Accept documented fail-closed hardening (recommended)
   Treat broad parent binds that expose blocked descendants as unsupported and carry release-note context for users who need narrower project-specific binds.
2. Add an upgrade-safe alternative
   If maintainers consider broad parent binds a supported upgrade contract, add an explicit reviewed compatibility path before merging this fail-closed change.
3. Pause until secops reviews the policy
   If ownership approval is unclear, hold the PR for the CODEOWNERS security reviewers instead of merging a sandbox policy change by automation.

Next step before merge

• [P2] Manual review is needed for compatibility acceptance and normal merge readiness; there is no narrow automated repair to request.

Security
Cleared: The diff tightens sandbox bind validation and adds focused regression coverage; no supply-chain, secret-handling, or security-boundary weakening concern was found.

Review details

Best possible solution:

Land the shared-validator hardening after maintainer acceptance of the fail-closed upgrade impact and normal CI, with release-note context for broad bind configs.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main only checks whether the source is equal to or under a blocked path, and its tests explicitly allowed /var:/var. The PR updates those expectations to reject parent sources covering blocked descendants.

Is this the best way to solve the issue?

Yes, this is the right layer because the shared validator gates Docker create args and security audit diagnostics, and the docs already describe parent mounts exposing blocked paths as blocked. The remaining decision is whether maintainers accept the upgrade impact of enforcing that documented policy.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 52154eda0dd1.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies after-fix live output from the actual buildSandboxCreateArgs path showing the broad parent bind rejected and narrower binds accepted before Docker create arguments are emitted.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body supplies after-fix live output from the actual buildSandboxCreateArgs path showing the broad parent bind rejected and narrower binds accepted before Docker create arguments are emitted.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is a normal-priority sandbox hardening fix with limited but real compatibility impact for broad bind configurations.
• merge-risk: 🚨 compatibility: Merging can make existing sandbox configs that bind broad host parent directories fail during Docker sandbox startup.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body supplies after-fix live output from the actual buildSandboxCreateArgs path showing the broad parent bind rejected and narrower binds accepted before Docker create arguments are emitted.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies after-fix live output from the actual buildSandboxCreateArgs path showing the broad parent bind rejected and narrower binds accepted before Docker create arguments are emitted.

Evidence reviewed

PR surface:

Source +4, Tests +36. Total +40 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	14	10	+4
Tests	2	40	4	+36
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	54	14	+40

What I checked:

• Current main gap: Current main only rejects a source equal to or under a blocked host path, which is why /var:/var was allowed even though it covers /var/run. (src/agents/sandbox/validate-sandbox-security.ts:146, 52154eda0dd1)
• Existing regression expectation: Current main tests explicitly expected getBlockedBindReason("/var:/var") to return null and validateBindMounts(["/var:/var"]) to be allowed. (src/agents/sandbox/validate-sandbox-security.test.ts:39, 52154eda0dd1)
• PR fix shape: The PR adds a bidirectional policy-path helper and returns kind="covers" when a source root contains a blocked descendant such as /var/run or home credential directories. (src/agents/sandbox/validate-sandbox-security.ts:146, 5441c032b1e5)
• Runtime entry point: buildSandboxCreateArgs calls validateSandboxSecurity before Docker arguments are emitted, and container/browser creation pass includeBinds:false before appending custom binds, so this shared validation gates both runtime paths. (src/agents/sandbox/docker.ts:443, 52154eda0dd1)
• Audit sibling surface: The security audit also calls getBlockedBindReason for sandbox.dangerous_bind_mount findings, so this PR consistently tightens diagnostics for the same bind policy. (src/security/audit-extra.sync.ts:865, 52154eda0dd1)
• Documented contract: The public sandboxing docs already say OpenClaw blocks dangerous bind sources including parent mounts that would expose docker.sock, /etc, /proc, /sys, /dev, and related blocked paths. Public docs: docs/gateway/sandboxing.md. (docs/gateway/sandboxing.md:365, 52154eda0dd1)

Likely related people:

• openclaw/openclaw-secops: The sandbox validator and sandbox directory are security-sensitive paths assigned to this owner group in CODEOWNERS. (role: CODEOWNERS review owner; confidence: high; files: .github/CODEOWNERS, src/agents/sandbox/validate-sandbox-security.ts, src/agents/sandbox/docker.ts)
• cxy: Local blame for the relevant current-main validator and Docker create-args lines points to d12b7b0, though the grafted checkout makes this a weak ownership signal. (role: current-main snapshot carrier; confidence: low; commits: d12b7b055189; files: src/agents/sandbox/validate-sandbox-security.ts, src/agents/sandbox/docker.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[mmaps]

Real create-args proof has been added to the PR body. It shows the broad parent bind rejected before Docker arguments are emitted and narrower project-specific binds still allowed.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27226726501
• Updated: 2026-06-09T18:28:30.394Z

[mmaps]

Verification before merge:

Behavior addressed: Sandbox bind validation now rejects broad host parent sources that contain blocked descendants while keeping narrower project-specific binds allowed.
Real environment tested: Local Linux checkout, real Docker create-args runtime path, repo Vitest wrapper, repo formatting/lint wrappers, GitHub PR checks, repo-local autoreview, ClawSweeper re-review, and private completeness gates.
Exact steps or commands run after this patch:

• node scripts/run-vitest.mjs src/agents/sandbox/validate-sandbox-security.test.ts src/agents/sandbox-create-args.test.ts
• pnpm format:check -- src/agents/sandbox/validate-sandbox-security.ts src/agents/sandbox/validate-sandbox-security.test.ts src/agents/sandbox-create-args.test.ts
• node scripts/run-oxlint.mjs src/agents/sandbox/validate-sandbox-security.ts src/agents/sandbox/validate-sandbox-security.test.ts src/agents/sandbox-create-args.test.ts
• git diff --check
• node --import tsx inline proof importing buildSandboxCreateArgs from src/agents/sandbox/docker.ts
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
  Evidence after fix:
• Runtime proof showed /var:/mnt/var:ro rejected with covers blocked path "/var/run".
• Runtime proof showed /var/data/myapp:/data:ro and a temp project bind allowed and emitted as -v bind args.
• Focused Vitest passed: 2 shards, 52 tests.
• Private dry-run gate: passed for head 5441c032b1e5c421a8f28f3c2df46912b8b8f568.
• Real private gate: passed for head 5441c032b1e5c421a8f28f3c2df46912b8b8f568.
• Repo-local autoreview: clean, no accepted/actionable findings.
• ClawSweeper re-review: proof: sufficient, status: ready for maintainer look.
• GitHub PR checks: 134 pass, 30 skipped, 0 active/failing for head 5441c032b1e5c421a8f28f3c2df46912b8b8f568.
  Observed result after fix: The runtime validation gate stops broad parent binds before Docker bind args are appended, and narrower safe bind sources still pass.
  What was not tested: Full Docker daemon container startup was not run locally; the runtime gate immediately before Docker container creation was tested directly.

Regression Risk:
Medium. Existing sandbox or browser configs that bind broad host parents such as /var or a whole home directory may now fail closed; no config keys, defaults, schemas, or wire formats changed.

Best fix verdict:
Appropriate layer and scope. The shared sandbox bind validator owns this decision, so normal Docker sandbox creation, browser sandbox creation, create-args tests, and audit checks share the same corrected path relation.

User behavior change:
Before, broad parent bind sources could be accepted even when they exposed blocked descendants. After, those broad binds are rejected with covers blocked path; project-specific binds such as /var/data/myapp:/data:ro remain allowed.

[eleqtrizit]

Summary of Checks Completed

This PR hardens the sandbox bind-mount validator to reject host source paths that contain blocked descendant paths (e.g., mounting /var to expose /var/run/docker.sock). Here is a plain-English summary of every check performed to ensure the change is correct, compatible, and safe.

Relevance

The issue is a real security vulnerability — a sandbox bypass where the bind-mount validator only checked if a source path was inside a blocked path, but never checked if the source path contained a blocked path. This allowed mounting broad parent directories like /var or $HOME to expose the Docker socket, credentials, SSH keys, and other sensitive paths the denylist exists to protect. The fix closes that gap by adding a reverse containment check.

Compatibility

The fix is minimal and targeted. Narrow project-specific mounts like /var/data/myapp:/data:ro remain allowed. Only unsafe broad mounts that previously bypassed the denylist are now blocked — this is the intended security hardening. No config keys, defaults, schemas, wire formats, or environment variables changed. Existing configs that bind broad host parents will now fail closed before container creation, which is the correct security behavior.

ClawSweeper

ClawSweeper reviewed the PR and rated it ready for maintainer look with proof sufficient. The review confirmed the fix is correct, the security boundary is properly tightened, and no correctness issues exist. The only noted items are documented risks (fail-closed for broad bind configs, needs maintainer compatibility acceptance) — not problems with the fix itself.

Code Reviews Completed

The code was reviewed through multiple automated passes covering correctness, security, compatibility, and completeness. All reviews converged on the same conclusion: the fix is correct, well-scoped, and the right hardening for this vulnerability.

---

Checks Completed

Check	Status
Local unit tests — sandbox validation and Docker create-args test suites	✅ Passed (52 tests across 2 shards)
Real runtime proof — live Docker create-args validation with broad parent bind (/var:/mnt/var) rejected and narrow bind (/var/data:/data) allowed	✅ Verified
Formatting check — oxfmt on all changed files	✅ Passed
Linting — oxlint on all changed files	✅ Passed
Git diff whitespace check	✅ Passed
Import cycle check	✅ Passed
Shrinkwrap integrity check	✅ Passed
Production type check	✅ Passed
Test type check	✅ Passed
Dependency guard	✅ Passed
Dependency guard (detect)	✅ Passed
Security fast scan	✅ Passed
Security high — core auth/secrets	✅ Passed
Security high — channel runtime boundary	✅ Passed
Security high — network SSRF boundary	✅ Passed
Security high — MCP process tool boundary	✅ Passed
Security high — plugin trust boundary	✅ Passed
Security high — actions	✅ Passed
Critical Quality — core auth/secrets	✅ Passed
Critical Quality shard selection	✅ Passed
CodeQL analysis	✅ Passed
Opengrep OSS analysis	✅ Passed
Socket Security — project report	✅ Passed
Socket Security — PR alerts	✅ Passed
Actionlint (GitHub Actions)	✅ Passed
Build artifacts	✅ Passed
No tabs check	✅ Passed
Preflight	✅ Passed
pnpm store warmup	✅ Passed
Fast checks — bundled protocol	✅ Passed
Fast checks — bun launcher	✅ Passed
Fast checks — contracts plugins (A, B)	✅ Passed
Fast checks — contracts channels (A, B)	✅ Passed
Node core fast checks	✅ Passed
Node core source security	✅ Passed
Node core UI	✅ Passed
Node core support	✅ Passed
Node core runtime hooks	✅ Passed
Node core runtime infrastructure — approval/exec, channel/plugin, CLI/UI, device, diagnostics/state, core utils, env/auth, events/runtime, file safety, files/commands, gateway/lock/argv, gateway/processes, gateway/watch, heartbeat/core, heartbeat/runner, misc/dedupe/disk, misc/OS, misc/values, net/install, network/node, network/platform, outbound/actions, outbound/core, provider/push, repo/tooling, storage/state, system/runtime, process	✅ All passed
Node core runtime secrets	✅ Passed
Node core runtime media UI	✅ Passed
Node core runtime shared	✅ Passed
Node core runtime cron — core, isolated agent, service	✅ All passed
Node agentic control plane — agent chat, auth/node, HTTP models, HTTP plugin/WS, runtime, runtime config, runtime cron, runtime events, runtime network, runtime server, runtime shared token, runtime state, runtime UI tools, startup config, startup core, startup health/runtime, startup restart/close	✅ All passed
Node agentic CLI	✅ Passed
Node agentic command support	✅ Passed
Node agentic commands — agent/channel, doctor, doctor/auth, doctor/config/state, doctor/device, doctor/gateway, doctor/platform, doctor/plugins/tools, doctor/sessions/cron, doctor/shared, doctor/whatsapp, doctor/workspace, models, onboard/config, status/tools	✅ All passed
Node agentic agents — core auth, core models, core tools, core subagents, core runner, core runtime, embedded, support, tools	✅ All passed
Node agentic gateway — core, methods	✅ All passed
Node agentic plugin SDK	✅ Passed
Node auto-reply — core top-level, reply agent runner, reply commands, reply dispatch, reply session, reply state/routing	✅ All passed
Check guards	✅ Passed
Check additional boundaries (A, BCD)	✅ All passed
Check additional extensions — channels, bundled, package boundary	✅ All passed
Check additional runtime topology/architecture	✅ Passed
CI timings summary	✅ Passed
Repo-local autoreview — no accepted/actionable findings	✅ Clean
ClawSweeper review — proof sufficient, ready for maintainer look	✅ Reviewed
Private completeness gates — dry run and real run	✅ Both passed
GitHub CI checks — 134 passed, 30 skipped, 0 active/failing	✅ Clean

---

Abbreviations

Abbreviation	Definition
CI	Continuous Integration — automated build, test, and validation pipelines
CLI	Command-Line Interface
CVE	Common Vulnerabilities and Exposures — a standard for identifying security vulnerabilities
CVSS	Common Vulnerability Scoring System — a standard for rating severity of security vulnerabilities
E2E	End-to-End testing
GHSA	GitHub Security Advisory
HTTP	Hypertext Transfer Protocol
MCP	Model Context Protocol
OSS	Open-Source Software
PR	Pull Request
SDK	Software Development Kit
SQL	Structured Query Language
SSRF	Server-Side Request Forgery
UI	User Interface
WS / WebSocket	WebSocket protocol