Optionally back /tmp and /var/tmp with stable host directories
This commit is contained in:
@@ -60,6 +60,16 @@ rw = ["/var/run/docker.sock"]
|
||||
command = ["claude", "--dangerously-skip-permissions"]
|
||||
```
|
||||
|
||||
## Persistent state
|
||||
|
||||
In whitelist mode, the sandbox's `/tmp` and `/var/tmp` are a fresh tmpfs by default. Pass `--persistent-tmp` (or set `persistent-tmp = true`) to back both with stable host directories at `/tmp/agent-sandbox-<key>` and `/var/tmp/agent-sandbox-<key>`. The host dirs are created on demand (mode `0700`, owned by the invoking user) and as such inherit the host's cleanup policy (typical `systemd-tmpfiles` defaults: `/tmp` cleared on reboot + 10d age-out, `/var/tmp` survives reboot + 30d age-out).
|
||||
|
||||
`<key>` is derived from `profile + canonical cwd`, so different profiles and different working directories each get their own state. Override with `--persistent-key=LABEL` (or `persistent-key` in the config) to share state across profiles or to keep state after moving the project directory.
|
||||
|
||||
`persistent-tmp` is a no-op in blacklist mode — blacklist already binds the host's `/tmp` and `/var/tmp`, so they persist on the host filesystem with no extra opt-in.
|
||||
|
||||
Stale `/tmp/agent-sandbox-*` directories are not auto-cleaned — remove them by hand when you no longer need them. If `/tmp/agent-sandbox-<key>` already exists owned by a different user, the sandbox refuses to start rather than risk hijacked writes.
|
||||
|
||||
## Escape hatches
|
||||
|
||||
When the agent needs access to something the sandbox blocks, use `--rw` or `--ro` for paths and `--setenv`/`--unsetenv` for env vars. User overrides always win over the built-in policies.
|
||||
|
||||
Reference in New Issue
Block a user