Sandbox Image Hardening#
The NemoClaw sandbox image applies several security measures to reduce attack surface and limit the blast radius of untrusted workloads.
Removed Unnecessary Tools#
Build toolchains (gcc, g++, make) and network probes (netcat) are
explicitly purged from the runtime image. These tools are not needed at runtime
and would unnecessarily widen the attack surface.
If you need a compiler during build, use the existing multi-stage build
(the builder stage has full Node.js tooling) and copy only artifacts into the
runtime stage.
Process Limits#
The container ENTRYPOINT sets ulimit -u 512 to cap the number of processes
a sandbox user can spawn. This mitigates fork-bomb attacks. The startup script
(nemoclaw-start.sh) applies the same limit.
Adjust the value via the --ulimit nproc=512:512 flag if launching with
docker run directly.
Dropping Linux Capabilities#
When running the sandbox container, drop all Linux capabilities and re-add only what is strictly required:
$ docker run --rm \
--cap-drop=ALL \
--ulimit nproc=512:512 \
nemoclaw-sandbox
Docker Compose Example#
services:
nemoclaw-sandbox:
image: nemoclaw-sandbox:latest
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
ulimits:
nproc:
soft: 512
hard: 512
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp:size=64m
Note: The
Dockerfileitself cannot enforce--cap-drop— that is a runtime concern controlled by the container orchestrator. Always configure capability dropping in yourdocker runflags, Compose file, or KubernetessecurityContext.