vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-26 08:31:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): enforce sandbox inheritance for sessions_spawn

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 01:10:39 +00:00
parent 6a1eedf10b
commit b9aa2d436b
6 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/concepts/session-tool.md
View File

@@ -160,6 +160,7 @@ Parameters:
Allowlist:
- `agents.list[].subagents.allowAgents`: list of agent ids allowed via `agentId` (`["*"]` to allow any). Default: only the requester agent.
- Sandbox inheritance guard: if the requester session is sandboxed, `sessions_spawn` rejects targets that would run unsandboxed.
Discovery:

1
docs/gateway/configuration-reference.md
View File

@@ -1207,6 +1207,7 @@ scripts/sandbox-browser-setup.sh # optional browser image
- `identity.avatar`: workspace-relative path, `http(s)` URL, or `data:` URI.
- `identity` derives defaults: `ackReaction` from `emoji`, `mentionPatterns` from `name`/`emoji`.
- `subagents.allowAgents`: allowlist of agent ids for `sessions_spawn` (`["*"]` = any; default: same agent only).
- Sandbox inheritance guard: if the requester session is sandboxed, `sessions_spawn` rejects targets that would run unsandboxed.
---

1
docs/tools/subagents.md
View File

@@ -124,6 +124,7 @@ See [Configuration Reference](/gateway/configuration-reference) and [Slash comma
Allowlist:
- `agents.list[].subagents.allowAgents`: list of agent ids that can be targeted via `agentId` (`["*"]` to allow any). Default: only the requester agent.
- Sandbox inheritance guard: if the requester session is sandboxed, `sessions_spawn` rejects targets that would run unsandboxed.
Discovery: