-
Notifications
You must be signed in to change notification settings - Fork 8.5k
Open
Labels
Description
Bug Description
When the sandbox is endabled, it creates a docker container for executing commands (currently supported in builtin tool StrReplaceEditor). This includes a terminal session with the container which is initialized by the following code:
async def create(self, working_dir: str, env_vars: Dict[str, str]) -> None:
startup_command = [
"bash",
"-c",
f"cd {working_dir} && "
"PROMPT_COMMAND='' "
"PS1='$ ' "
"exec bash --norc --noprofile",
]
exec_data = self.api.exec_create(
self.container_id,
startup_command,
stdin=True,
tty=True,
stdout=True,
stderr=True,
privileged=True,
user="root",
environment={**env_vars, "TERM": "dumb", "PS1": "$ ", "PROMPT_COMMAND": ""},
)
Note that the privileged
option is set, which escalates the bash process privileges. According to Docker docs, The --privileged
flag disables/bypasses most of checks that shield a container from the host system.
For example, the capabilities with --privileged
:
> cat /proc/self/status | grep CapEff
CapEff: 000001ffffffffff
> capsh --decode=000001ffffffffff
0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Bug solved method
It's better to set the privileged option to Flase
by default to ensure the security of sandbox.
Environment information
- System version: Ubuntu 22.04
- Python version: 3.12
- OpenManus version or branch: 36713cd (Date: Mon Jun 9 16:22:09 2025 +0800)
- Installation method : uv pip install -r requirements.txt
Extra information
No response