fix(chat/sandbox): fix bwrap inside Docker containers

Three fixes for bubblewrap sandbox: - Fix --tmpdir (invalid) to --tmpfs (correct bwrap option) - Add --unshare-user so bwrap can create namespaces inside unprivileged Docker containers (no CAP_SYS_ADMIN needed) - Reorder mounts: --tmpfs /tmp first, then --bind workspace on top, so the workspace directory is visible through the fresh tmpfs
2026-02-12 15:55:03 -05:00 · 2026-02-12 22:22:39 +04:00
parent 308113c03d
commit 9296bd8736
1 changed files with 9 additions and 5 deletions
--- a/autogpt_platform/backend/backend/api/features/chat/tools/sandbox.py
+++ b/autogpt_platform/backend/backend/api/features/chat/tools/sandbox.py
@@ -133,6 +133,9 @@ def _build_bwrap_command(
    """
    cmd = [
        "bwrap",
+        # Create a new user namespace so bwrap can set up sandboxing
+        # inside unprivileged Docker containers (no CAP_SYS_ADMIN needed).
+        "--unshare-user",
        # Wipe all inherited environment variables (API keys, secrets, etc.)
        "--clearenv",
    ]
@@ -164,17 +167,18 @@ def _build_bwrap_command(

    cmd.extend(
        [
-            # Writable workspace only
-            "--bind",
-            cwd,
-            cwd,
            # Fresh virtual filesystems
            "--dev",
            "/dev",
            "--proc",
            "/proc",
-            "--tmpdir",
+            "--tmpfs",
            "/tmp",
+            # Workspace bind AFTER --tmpfs /tmp so it's visible through the tmpfs.
+            # (workspace lives under /tmp/copilot-<session>)
+            "--bind",
+            cwd,
+            cwd,
            # Isolation
            "--unshare-net",
            "--die-with-parent",