Summary
Requesting support for --cap-drop (or equivalent capability-set scoping) on openshell sandbox create so consumers can reduce the OCI bounding set of sandbox containers at creation time.
Context
NemoClaw isolates agents inside OpenShell sandboxes and drops dangerous capabilities from the agent process tree via capsh + setpriv in its entrypoint (NemoClaw PRs #3328 + #3329). That hardens the agent code path but does NOT reduce the container's OCI bounding set itself.
When users nemoclaw sandbox connect, the runtime spawns a shell outside the agent process tree. That shell sees the container's OCI bounding set, which still contains:
CAP_SYS_ADMINCAP_NET_RAWCAP_NET_BIND_SERVICECAP_SYS_PTRACECAP_DAC_OVERRIDECAP_FOWNERCAP_SETUIDCAP_SETGID
Verified from inside a v0.0.43 sandbox with capsh --print: NVIDIA/NemoClaw#3280
Why NemoClaw can't fix this alone
openshell sandbox create doesn't accept --cap-drop or any capability-scoping flag, and the OpenShell policy schema has no capability section. The OCI bounding set is set by OpenShell at container-create time, so NemoClaw has no way to reduce it.
Asks
One of:
--cap-drop / --cap-add flags on openshell sandbox create — matches Docker semantics, smaller surface changecapabilities: section in the OpenShell policy schema with allow/drop lists translated to the OCI bounding set at container-create time — more declarative, tracks better with existing policy-driven model
Either works for NemoClaw's use case.
Consumer / blocker
NemoClaw issue #3280 (priority: high, NV QA) is blocked on this. Scope is shell-scope cap tightening for sandbox connect shells.
Summary
Requesting support for
--cap-drop(or equivalent capability-set scoping) onopenshell sandbox createso consumers can reduce the OCI bounding set of sandbox containers at creation time.Context
NemoClaw isolates agents inside OpenShell sandboxes and drops dangerous capabilities from the agent process tree via
capsh+setprivin its entrypoint (NemoClaw PRs #3328 + #3329). That hardens the agent code path but does NOT reduce the container's OCI bounding set itself.When users
nemoclaw sandbox connect, the runtime spawns a shell outside the agent process tree. That shell sees the container's OCI bounding set, which still contains:CAP_SYS_ADMINCAP_NET_RAWCAP_NET_BIND_SERVICECAP_SYS_PTRACECAP_DAC_OVERRIDECAP_FOWNERCAP_SETUIDCAP_SETGIDVerified from inside a v0.0.43 sandbox with
capsh --print: NVIDIA/NemoClaw#3280Why NemoClaw can't fix this alone
openshell sandbox createdoesn't accept--cap-dropor any capability-scoping flag, and the OpenShell policy schema has no capability section. The OCI bounding set is set by OpenShell at container-create time, so NemoClaw has no way to reduce it.Asks
One of:
--cap-drop/--cap-addflags onopenshell sandbox create— matches Docker semantics, smaller surface changecapabilities:section in the OpenShell policy schema with allow/drop lists translated to the OCI bounding set at container-create time — more declarative, tracks better with existing policy-driven modelEither works for NemoClaw's use case.
Consumer / blocker
NemoClaw issue #3280 (priority: high, NV QA) is blocked on this. Scope is shell-scope cap tightening for
sandbox connectshells.