凌晨4点18分,一个Agent执行了rm -rf /。如果它在主系统上运行,服务器就废了。幸好,它在沙箱里——沙箱挂了,主系统还在。
沙箱就像给Agent一个玩具房间,它可以在里面随便折腾,但不能拆了你的家。
凌晨4点18分,一个Agent执行了rm -rf /。如果它在主系统上运行,服务器就废了。幸好,它在沙箱里——沙箱挂了,主系统还在。
沙箱就像给Agent一个玩具房间,它可以在里面随便折腾,但不能拆了你的家。
Runtime Sandbox Security(运行时沙箱安全)是通过隔离技术限制AI Agent运行时行为的安全机制。它确保Agent只能访问被授权的资源,即使Agent被攻陷或行为异常,也不会影响宿主系统。
使用Docker/containerd将Agent运行在独立容器中。
# Docker沙箱配置
# docker-compose.sandbox.yml
version: '3.8'
services:
agent-sandbox:
image: openclaw/sandbox:latest
container_name: agent-sandbox
# 资源限制
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.5'
memory: 512M
# 安全配置
security_opt:
- no-new-privileges:true
- seccomp:./seccomp-profile.json
# 只读根文件系统
read_only: true
tmpfs:
- /tmp:size=100M
- /var/run:size=10M
# 权限限制
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
# 网络隔离
networks:
- sandbox-net
# 卷挂载(只读)
volumes:
- ./config:/app/config:ro
- ./skills:/app/skills:ro
# 环境变量
environment:
- SANDBOX_MODE=true
- MAX_MEMORY=2G
- MAX_CPU=2.0
networks:
sandbox-net:
driver: bridge
internal: true # 禁止外部网络访问
使用Linux命名空间和cgroups限制进程权限。
# 进程隔离配置
# sandbox_config.yaml
sandbox:
# 命名空间隔离
namespaces:
- pid # 进程ID隔离
- net # 网络隔离
- mnt # 文件系统隔离
- uts # 主机名隔离
- ipc # 进程间通信隔离
- user # 用户隔离
# Cgroup资源限制
cgroups:
memory:
limit_bytes: 2147483648 # 2GB
swap_limit_bytes: 0 # 禁止swap
cpu:
quota_us: 200000 # 2核
period_us: 100000
pids:
limit: 100 # 最多100个进程
io:
read_bps: 104857600 # 100MB/s读
write_bps: 52428800 # 50MB/s写
# Seccomp系统调用过滤
seccomp:
default_action: "SCMP_ACT_ERRNO"
allowed_syscalls:
- "read"
- "write"
- "open"
- "close"
- "stat"
- "fstat"
- "poll"
- "lseek"
- "mmap"
- "mprotect"
- "munmap"
- "brk"
- "socket"
- "connect"
- "sendto"
- "recvfrom"
denied_syscalls:
- "reboot"
- "kexec_load"
- "mount"
- "umount2"
- "pivot_root"
- "chroot"
限制Agent对文件系统的访问范围。
# 文件系统隔离
# fs_isolation.yaml
filesystem:
# 只读挂载
readonly_mounts:
- source: "/usr/local/bin"
target: "/app/bin"
readonly: true
- source: "/etc/ssl/certs"
target: "/app/certs"
readonly: true
# 可写挂载(限制大小)
writable_mounts:
- source: "tmpfs"
target: "/tmp"
size: "100M"
noexec: true
- source: "volume"
target: "/app/data"
size: "1G"
nosuid: true
noexec: true
# 禁止访问的路径
denied_paths:
- "/etc/shadow"
- "/etc/passwd"
- "/root"
- "/home/*"
- "/var/log/*"
# 允许访问的路径
allowed_paths:
- "/app/**"
- "/tmp/**"
- "/proc/self/**"
# 文件操作限制
file_operations:
max_file_size: "10M"
max_open_files: 100
allowed_extensions:
- ".txt"
- ".json"
- ".yaml"
- ".py"
- ".js"
denied_extensions:
- ".sh"
- ".bash"
- ".exe"
- ".dll"
- ".so"
限制Agent的网络访问能力。
# 网络隔离配置
# network_isolation.yaml
network:
# 网络模式
mode: "restricted" # unrestricted | restricted | isolated
# 允许的出站连接
outbound:
allowed_domains:
- "api.openai.com"
- "api.anthropic.com"
- "miaoquai.com"
allowed_ips:
- "10.0.0.0/8"
- "172.16.0.0/12"
denied_domains:
- "*.internal.company.com"
- "metadata.google.internal"
denied_ips:
- "169.254.169.254" # 云元数据
- "127.0.0.1" # 本地回环
# 允许的入站连接
inbound:
enabled: false # 默认禁止入站
# 端口限制
ports:
allowed:
- 80
- 443
denied:
- 22 # SSH
- 3306 # MySQL
- 5432 # PostgreSQL
- 6379 # Redis
# DNS限制
dns:
servers:
- "8.8.8.8"
- "8.8.4.4"
block_private: true
# 带宽限制
bandwidth:
upload_mbps: 10
download_mbps: 50
# openclaw.yaml 沙箱完整配置
sandbox:
# 启用沙箱
enabled: true
# 沙箱类型
type: "docker" # docker | firejail | gvisor | wasm
# 资源限制
resources:
max_cpu: "2.0"
max_memory: "2G"
max_disk: "10G"
max_pids: 100
timeout_seconds: 300
# 文件系统
filesystem:
readonly_root: true
tmp_size: "100M"
data_size: "1G"
mount_skills: true
mount_config: true
# 网络
network:
mode: "restricted"
allowed_domains:
- "api.openai.com"
- "api.anthropic.com"
deny_private: true
# 权限
permissions:
drop_capabilities:
- "ALL"
add_capabilities: []
no_new_privileges: true
seccomp_profile: "default"
# 监控
monitoring:
log_syscalls: true
log_file_access: true
log_network: true
alert_on_violation: true
alert_channel: "feishu"
# 自动恢复
recovery:
enabled: true
max_restarts: 3
restart_delay_seconds: 5
on_crash: "restart"
on_oom: "restart_with_more_memory"
on_timeout: "terminate"
| 技术 | 隔离级别 | 性能开销 | 适用场景 |
|---|---|---|---|
| Docker | 容器级 | 低 (~5%) | 生产环境首选 |
| gVisor | 内核级 | 中 (~15%) | 高安全需求 |
| Firejail | 进程级 | 极低 (~1%) | 轻量级隔离 |
| WASM | 字节码级 | 低 (~3%) | 跨平台执行 |
| MicroVM | 虚拟机级 | 中 (~10%) | 最强隔离 |