@@ -31,6 +31,53 @@ The benefits of sandboxing include:
3131- ** Safety** : Reduce risk when working with untrusted code or experimental
3232 commands.
3333
34+ ## Quickstart
35+
36+ You can enable sandboxing using a command flag, environment variable, or
37+ configuration file.
38+
39+ ### Using the command flag
40+
41+ ``` bash
42+ gemini -s -p " analyze the code structure"
43+ ```
44+
45+ ### Using an environment variable
46+
47+ ** macOS/Linux**
48+
49+ ``` bash
50+ export GEMINI_SANDBOX=true
51+ gemini -p " run the test suite"
52+ ```
53+
54+ ** Windows (PowerShell)**
55+
56+ ``` powershell
57+ $env:GEMINI_SANDBOX="true"
58+ gemini -p "run the test suite"
59+ ```
60+
61+ ### Configuring via settings.json
62+
63+ ``` json
64+ {
65+ "tools" : {
66+ "sandbox" : " docker"
67+ }
68+ }
69+ ```
70+
71+ ## Configuration
72+
73+ Enable sandboxing using one of the following methods (in order of precedence):
74+
75+ 1 . ** Command flag** : ` -s ` or ` --sandbox `
76+ 2 . ** Environment variable** :
77+ ` GEMINI_SANDBOX=true|docker|podman|sandbox-exec|runsc|lxc `
78+ 3 . ** Settings file** : ` "sandbox": true ` in the ` tools ` object of your
79+ ` settings.json ` file (for example, ` {"tools": {"sandbox": true}} ` ).
80+
3481## Sandboxing methods
3582
3683Your ideal method of sandboxing may differ depending on your platform and your
@@ -43,12 +90,92 @@ Lightweight, built-in sandboxing using `sandbox-exec`.
4390** Default profile** : ` permissive-open ` - restricts writes outside project
4491directory but allows most other operations.
4592
93+ Built-in profiles (set via ` SEATBELT_PROFILE ` env var):
94+
95+ - ` permissive-open ` (default): Write restrictions, network allowed
96+ - ` permissive-proxied ` : Write restrictions, network via proxy
97+ - ` restrictive-open ` : Strict restrictions, network allowed
98+ - ` restrictive-proxied ` : Strict restrictions, network via proxy
99+ - ` strict-open ` : Read and write restrictions, network allowed
100+ - ` strict-proxied ` : Read and write restrictions, network via proxy
101+
46102### 2. Container-based (Docker/Podman)
47103
48- Cross-platform sandboxing with complete process isolation.
104+ Cross-platform sandboxing with complete process isolation using container
105+ technology. By default, it uses the ` ghcr.io/google/gemini-cli:latest ` image.
106+
107+ ** Prerequisites:**
108+
109+ - Docker or Podman must be installed and running on your system.
110+
111+ ** How it works (Workspace directory):**
49112
50- ** Note** : Requires building the sandbox image locally or using a published image
51- from your organization's registry.
113+ Inside the sandbox container, your current working directory is mounted at the
114+ ** exact same absolute path** as it is on your host machine. For example, if you
115+ run the CLI from ` /Users/you/project ` on your host machine, the sandbox will
116+ mount your local project folder and operate within ` /Users/you/project ` inside
117+ the container. This allows the AI to seamlessly read and modify your project
118+ files while remaining isolated from the rest of your system.
119+
120+ ** Quick setup:**
121+
122+ To enable Docker sandboxing, run Gemini CLI with the sandbox flag and specify
123+ Docker as the provider:
124+
125+ ``` bash
126+ # Using the environment variable (Recommended)
127+ export GEMINI_SANDBOX=docker
128+ gemini -p " build the project"
129+
130+ # Or configure it permanently in your settings.json
131+ # {"tools": {"sandbox": "docker"}}
132+ ```
133+
134+ ** Customizing the Sandbox Image:**
135+
136+ If your project requires specific dependencies, you can specify a custom image
137+ name or have Gemini CLI build one for you automatically. You can use any Docker
138+ or Podman image as your sandbox, provided it has standard shell utilities (like
139+ ` bash ` ) available.
140+
141+ ** Option A: Using an existing custom image (e.g., Artifact Registry)**
142+
143+ To configure a custom image that is hosted on a registry (or built locally),
144+ update your ` settings.json ` to use an object for the sandbox configuration, or
145+ set the ` GEMINI_SANDBOX_IMAGE ` environment variable.
146+
147+ _ Example: Configuring via ` settings.json ` _
148+
149+ ``` json
150+ {
151+ "tools" : {
152+ "sandbox" : {
153+ "command" : " docker"
154+ "image" : " us-central1-docker.pkg.dev/my-project/my-repo/my-custom-sandbox:latest"
155+ }
156+ }
157+ }
158+ ```
159+
160+ _ Example: Configuring via environment variable_
161+
162+ ``` bash
163+ export GEMINI_SANDBOX_IMAGE=" us-central1-docker.pkg.dev/my-project/my-repo/my-custom-sandbox:latest"
164+ ```
165+
166+ ** Option B: Building a local custom image automatically**
167+
168+ If you prefer to define your environment as code, you can provide a Dockerfile
169+ and Gemini CLI will build the image automatically.
170+
171+ 1 . Create a ` .gemini/sandbox.Dockerfile ` in your project root.
172+ 2 . Ensure you have the ` gh ` CLI installed and authenticated (if you are using
173+ the default ` ghcr.io/google/gemini-cli ` image as a base).
174+ 3 . Run your command with the ` BUILD_SANDBOX ` environment variable set:
175+
176+ ``` bash
177+ BUILD_SANDBOX=1 GEMINI_SANDBOX=docker gemini -p " run my custom build"
178+ ```
52179
53180### 3. Windows Native Sandbox (Windows only)
54181
@@ -188,59 +315,49 @@ This mechanism ensures you don't have to manually re-run commands with more
188315permissive sandbox settings, while still maintaining control over what the AI
189316can access.
190317
191- ## Quickstart
318+ ### Including files outside the workspace
192319
193- ``` bash
194- # Enable sandboxing with command flag
195- gemini -s -p " analyze the code structure "
196- ```
320+ By default, the sandbox only has access to the current project workspace. If you
321+ need the sandbox to have permission to operate on certain files or directories
322+ from the local file system outside of the project workspace, you can mount them
323+ using the ` SANDBOX_MOUNTS ` environment variable.
197324
198- ** Use environment variable**
325+ Provide a comma-separated list of mount definitions in the format
326+ ` from:to:opts ` . If ` to ` is omitted, it defaults to the same path as ` from ` . If
327+ ` opts ` is omitted, it defaults to ` ro ` (read-only). Note that the ` from ` path
328+ must be an absolute path.
199329
200- ** macOS/Linux **
330+ ** Example ** :
201331
202332``` bash
203- export GEMINI_SANDBOX=true
204- gemini -p " run the test suite"
205- ```
206-
207- ** Windows (PowerShell)**
208-
209- ``` powershell
210- $env:GEMINI_SANDBOX="true"
211- gemini -p "run the test suite"
212- ```
213-
214- ** Configure in settings.json**
215-
216- ``` json
217- {
218- "tools" : {
219- "sandbox" : " docker"
220- }
221- }
333+ export SANDBOX_MOUNTS=" /path/on/host:/path/in/container:rw,/another/path:ro"
222334```
223335
224- ## Configuration
336+ ## Running inside a Docker container
225337
226- ### Enable sandboxing (in order of precedence)
338+ If you are running Gemini CLI itself from within an official or custom Docker
339+ container and want to enable sandboxing, you must share the host's Docker socket
340+ and ensure your workspace paths align.
227341
228- 1 . ** Command flag** : ` -s ` or ` --sandbox `
229- 2 . ** Environment variable** :
230- ` GEMINI_SANDBOX=true|docker|podman|sandbox-exec|runsc|lxc `
231- 3 . ** Settings file** : ` "sandbox": true ` in the ` tools ` object of your
232- ` settings.json ` file (for example, ` {"tools": {"sandbox": true}} ` ).
342+ 1 . ** Mount the Docker socket** : Map ` /var/run/docker.sock ` so the CLI can spawn
343+ sibling sandbox containers via the host's Docker daemon.
344+ 2 . ** Align workspace paths** : The path to your workspace inside the container
345+ must exactly match the absolute path on the host. Because the sandbox
346+ container is spawned by the host's Docker daemon, it resolves volume mounts
347+ against the host file system.
233348
234- ### macOS Seatbelt profiles
349+ ** Example ** :
235350
236- Built-in profiles (set via ` SEATBELT_PROFILE ` env var):
351+ ``` bash
352+ docker run -it \
353+ -v /var/run/docker.sock:/var/run/docker.sock \
354+ -v /absolute/path/on/host/project:/absolute/path/on/host/project \
355+ -w /absolute/path/on/host/project \
356+ -e GEMINI_SANDBOX=docker \
357+ ghcr.io/google/gemini-cli:latest
358+ ```
237359
238- - ` permissive-open ` (default): Write restrictions, network allowed
239- - ` permissive-proxied ` : Write restrictions, network via proxy
240- - ` restrictive-open ` : Strict restrictions, network allowed
241- - ` restrictive-proxied ` : Strict restrictions, network via proxy
242- - ` strict-open ` : Read and write restrictions, network allowed
243- - ` strict-proxied ` : Read and write restrictions, network via proxy
360+ ## Advanced settings
244361
245362### Custom sandbox flags
246363
@@ -279,7 +396,7 @@ export SANDBOX_FLAGS="--flag1 --flag2=value"
279396$env:SANDBOX_FLAGS="--flag1 --flag2=value"
280397```
281398
282- ## Linux UID/GID handling
399+ ### Linux UID/GID handling
283400
284401The sandbox automatically handles user permissions on Linux. Override these
285402permissions with:
0 commit comments