From c725e258c657007ddd4dc4f8d5e896ea6b775818 Mon Sep 17 00:00:00 2001
From: andrea-berling <andrea-berling@users.noreply.github.com>
Date: Fri, 1 Aug 2025 18:32:44 +0200
Subject: feat(sandbox): Add SANDBOX_FLAGS for custom container options (#2036)

Co-authored-by: matt korwel <matt.korwel@gmail.com>
---
 docs/sandbox.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'docs')

diff --git a/docs/sandbox.md b/docs/sandbox.md
index 87763685..508a0d03 100644
--- a/docs/sandbox.md
+++ b/docs/sandbox.md
@@ -77,6 +77,24 @@ Built-in profiles (set via `SEATBELT_PROFILE` env var):
 - `restrictive-open`: Strict restrictions, network allowed
 - `restrictive-closed`: Maximum restrictions
 
+### Custom Sandbox Flags
+
+For container-based sandboxing, you can inject custom flags into the `docker` or `podman` command using the `SANDBOX_FLAGS` environment variable. This is useful for advanced configurations, such as disabling security features for specific use cases.
+
+**Example (Podman)**:
+
+To disable SELinux labeling for volume mounts, you can set the following:
+
+```bash
+export SANDBOX_FLAGS="--security-opt label=disable"
+```
+
+Multiple flags can be provided as a space-separated string:
+
+```bash
+export SANDBOX_FLAGS="--flag1 --flag2=value"
+```
+
 ## Linux UID/GID handling
 
 The sandbox automatically handles user permissions on Linux. Override these permissions with:
-- 
cgit v1.2.3