diff --git a/docs/cli/sandbox.md b/docs/cli/sandbox.md index e27587abf0..f81b561e0a 100644 --- a/docs/cli/sandbox.md +++ b/docs/cli/sandbox.md @@ -136,6 +136,58 @@ gemini -p "build the snap" absolute path — the path must be writable inside the container. - Used with tools like Snapcraft or Rockcraft that require a full system. +## Tool sandboxing + +Tool-level sandboxing provides granular isolation for individual tool executions +(like `shell_exec` and `write_file`) instead of sandboxing the entire Gemini CLI +process. + +This approach offers better integration with your local environment for non-tool +tasks (like UI rendering and configuration loading) while still providing +security for tool-driven operations. + +### How to turn off tool sandboxing + +If you experience issues with tool sandboxing or prefer full-process isolation, +you can disable it by setting `security.toolSandboxing` to `false` in your +`settings.json` file. + +```json +{ + "security": { + "toolSandboxing": false + } +} +``` + + +> [!NOTE] +> Changing the `security.toolSandboxing` setting requires a restart of Gemini +> CLI to take effect. + +## Sandbox expansion + +Sandbox expansion is a dynamic permission system that lets Gemini CLI request +additional permissions for a command when needed. + +When a sandboxed command fails due to permission restrictions (like restricted +file paths or network access), or when a command is proactively identified as +requiring extra permissions (like `npm install`), Gemini CLI will present you +with a "Sandbox Expansion Request." + +### How sandbox expansion works + +1. **Detection**: Gemini CLI detects a sandbox denial or proactively identifies + a command that requires extra permissions. +2. **Request**: A modal dialog is shown, explaining which additional + permissions (e.g., specific directories or network access) are required. +3. **Approval**: If you approve the expansion, the command is executed with the + extended permissions for that specific run. + +This mechanism ensures you don't have to manually re-run commands with more +permissive sandbox settings, while still maintaining control over what the AI +can access. + ## Quickstart ```bash diff --git a/docs/cli/settings.md b/docs/cli/settings.md index 37d0c8d4a3..4a6b9a77b7 100644 --- a/docs/cli/settings.md +++ b/docs/cli/settings.md @@ -140,7 +140,7 @@ they appear in the UI. | UI Label | Setting | Description | Default | | ------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | -| Tool Sandboxing | `security.toolSandboxing` | Experimental tool-level sandboxing (implementation in progress). | `false` | +| Tool Sandboxing | `security.toolSandboxing` | Tool-level sandboxing. Isolates individual tools instead of the entire CLI process. | `false` | | Disable YOLO Mode | `security.disableYoloMode` | Disable YOLO mode, even if enabled by a flag. | `false` | | Disable Always Allow | `security.disableAlwaysAllow` | Disable "Always allow" options in tool confirmation dialogs. | `false` | | Allow Permanent Tool Approval | `security.enablePermanentToolApproval` | Enable the "Allow for all future sessions" option in tool confirmation dialogs. | `false` | diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md index fd11ff4d73..5c9a3e7044 100644 --- a/docs/reference/configuration.md +++ b/docs/reference/configuration.md @@ -1492,9 +1492,10 @@ their corresponding top-level category object in your `settings.json` file. #### `security` - **`security.toolSandboxing`** (boolean): - - **Description:** Experimental tool-level sandboxing (implementation in - progress). + - **Description:** Tool-level sandboxing. Isolates individual tools instead of + the entire CLI process. - **Default:** `false` + - **Requires restart:** Yes - **`security.disableYoloMode`** (boolean): - **Description:** Disable YOLO mode, even if enabled by a flag. diff --git a/packages/cli/src/config/settingsSchema.ts b/packages/cli/src/config/settingsSchema.ts index 7ccf1f360b..9343be6b02 100644 --- a/packages/cli/src/config/settingsSchema.ts +++ b/packages/cli/src/config/settingsSchema.ts @@ -1711,10 +1711,10 @@ const SETTINGS_SCHEMA = { type: 'boolean', label: 'Tool Sandboxing', category: 'Security', - requiresRestart: false, + requiresRestart: true, default: false, description: - 'Experimental tool-level sandboxing (implementation in progress).', + 'Tool-level sandboxing. Isolates individual tools instead of the entire CLI process.', showInDialog: true, }, disableYoloMode: { diff --git a/schemas/settings.schema.json b/schemas/settings.schema.json index eae2fbc3f5..71172717e4 100644 --- a/schemas/settings.schema.json +++ b/schemas/settings.schema.json @@ -2574,8 +2574,8 @@ "properties": { "toolSandboxing": { "title": "Tool Sandboxing", - "description": "Experimental tool-level sandboxing (implementation in progress).", - "markdownDescription": "Experimental tool-level sandboxing (implementation in progress).\n\n- Category: `Security`\n- Requires restart: `no`\n- Default: `false`", + "description": "Tool-level sandboxing. Isolates individual tools instead of the entire CLI process.", + "markdownDescription": "Tool-level sandboxing. Isolates individual tools instead of the entire CLI process.\n\n- Category: `Security`\n- Requires restart: `yes`\n- Default: `false`", "default": false, "type": "boolean" },