feat(sandbox): Add SANDBOX_FLAGS for custom container options (#2036)

Co-authored-by: matt korwel <[email protected]>
author: andrea-berling <[email protected]> 2025-08-01 18:32:44 +0200
committer: GitHub <[email protected]> 2025-08-01 16:32:44 +0000
commit: c725e258c657007ddd4dc4f8d5e896ea6b775818 (patch)
tree: 11f22dd2d93e9a603838302ccfab3ee60c615893 /docs/sandbox.md
parent: d42e3f1e7fbdf23e3e8b729c5ba08dbf89285088 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/docs/sandbox.md b/docs/sandbox.md
index 87763685..508a0d03 100644
--- a/docs/sandbox.md
+++ b/docs/sandbox.md
@@ -77,6 +77,24 @@ Built-in profiles (set via `SEATBELT_PROFILE` env var):
 - `restrictive-open`: Strict restrictions, network allowed
 - `restrictive-closed`: Maximum restrictions
 
+### Custom Sandbox Flags
+
+For container-based sandboxing, you can inject custom flags into the `docker` or `podman` command using the `SANDBOX_FLAGS` environment variable. This is useful for advanced configurations, such as disabling security features for specific use cases.
+
+**Example (Podman)**:
+
+To disable SELinux labeling for volume mounts, you can set the following:
+
+```bash
+export SANDBOX_FLAGS="--security-opt label=disable"
+```
+
+Multiple flags can be provided as a space-separated string:
+
+```bash
+export SANDBOX_FLAGS="--flag1 --flag2=value"
+```
+
 ## Linux UID/GID handling
 
 The sandbox automatically handles user permissions on Linux. Override these permissions with:
author	andrea-berling <[email protected]>	2025-08-01 18:32:44 +0200
committer	GitHub <[email protected]>	2025-08-01 16:32:44 +0000
commit	c725e258c657007ddd4dc4f8d5e896ea6b775818 (patch)
tree	11f22dd2d93e9a603838302ccfab3ee60c615893 /docs/sandbox.md
parent	d42e3f1e7fbdf23e3e8b729c5ba08dbf89285088 (diff)