feat(sandbox): Add SANDBOX_FLAGS for custom container options (#2036)

Co-authored-by: matt korwel <matt.korwel@gmail.com>
2025-12-19 09:33:53 +00:00 · 2025-08-01 18:32:44 +02:00
parent d42e3f1e7f
commit c725e258c6
2 changed files with 27 additions and 1 deletions
--- a/docs/sandbox.md
+++ b/docs/sandbox.md
@@ -77,6 +77,24 @@ Built-in profiles (set via `SEATBELT_PROFILE` env var):
 - `restrictive-open`: Strict restrictions, network allowed
 - `restrictive-closed`: Maximum restrictions

+### Custom Sandbox Flags
+
+For container-based sandboxing, you can inject custom flags into the `docker` or `podman` command using the `SANDBOX_FLAGS` environment variable. This is useful for advanced configurations, such as disabling security features for specific use cases.
+
+**Example (Podman)**:
+
+To disable SELinux labeling for volume mounts, you can set the following:
+
+```bash
+export SANDBOX_FLAGS="--security-opt label=disable"
+```
+
+Multiple flags can be provided as a space-separated string:
+
+```bash
+export SANDBOX_FLAGS="--flag1 --flag2=value"
+```
+
 ## Linux UID/GID handling

 The sandbox automatically handles user permissions on Linux. Override these permissions with: