dgx-spark-playbooks/nvidia/station-healthcare-agent/assets/sandbox-policy.yaml

# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
#
# Machine-specific: the openfold3 policy references the Docker bridge IP.
#   GB300:       Docker bridge 172.18.0.1
#   New Station: Docker bridge 172.17.0.1
# Use scripts/gen_sandbox_policy.sh to generate a policy with the correct IP,
# or edit the openfold3 section below before sandbox creation.

version: 1

filesystem_policy:
  include_workdir: true
  read_only:
    - /usr
    - /lib
    - /proc
    - /dev/urandom
    - /etc
    - /var/log
  read_write:
    - /tmp
    - /sandbox
    - /dev/null

landlock:
  # NOTE: hard_requirement causes CrashLoopBackOff with the OpenClaw community
  # sandbox image (tested on OpenShell 0.0.16 and 0.0.21). The image likely
  # references paths that Landlock cannot enforce. Use best_effort until the
  # upstream image is updated. All other security controls (L7 enforcement,
  # implicit-deny networking, process isolation) remain active.
  compatibility: best_effort

process:
  run_as_user: sandbox
  run_as_group: sandbox

network_policies:
  # inference.local is a virtual hostname handled by OpenShell's proxy routing
  # layer, NOT by network_policies. The proxy intercepts CONNECT requests,
  # TLS-terminates, and routes to the host Ollama. Raw IP endpoints
  # (127.0.0.1, 172.x.0.1) cannot work here -- the sandbox CIDR-blocks
  # private/loopback ranges regardless of policy entries.
  # OpenClaw must use OPENCLAW_HTTPS_PROXY so Node.js routes through the
  # proxy where inference.local virtual hostname resolution works.
  inference:
    name: inference
    endpoints:
      - host: inference.local
        port: 443
    binaries:
      - { path: /usr/bin/node }
      - { path: /usr/bin/curl }
      - { path: "/usr/bin/python3*" }
      - { path: "/usr/local/bin/python3*" }
      - { path: "/sandbox/.venv/bin/python*" }

  fhir:
    name: fhir
    endpoints:
      - host: r4.smarthealthit.org
        port: 443
        protocol: rest
        tls: terminate
        enforcement: enforce
        access: read-only
    binaries:
      - { path: /usr/bin/curl }
      - { path: "/usr/bin/python3*" }
      - { path: "/usr/local/bin/python3*" }
      - { path: "/sandbox/.venv/bin/python*" }

  pubchem:
    name: pubchem
    endpoints:
      - host: pubchem.ncbi.nlm.nih.gov
        port: 443
        protocol: rest
        tls: terminate
        enforcement: enforce
        access: read-only
    binaries:
      - { path: /usr/bin/curl }
      - { path: "/usr/bin/python3*" }
      - { path: "/usr/local/bin/python3*" }
      - { path: "/sandbox/.venv/bin/python*" }

  openfold3:
    name: openfold3
    endpoints:
      - host: __DOCKER_BRIDGE_IP__
        port: 8000
        protocol: rest
        tls: passthrough
        enforcement: enforce
        rules:
          - allow:
              method: POST
              path: /biology/openfold/**
          - allow:
              method: GET
              path: /v1/health/*
          - allow:
              method: GET
              path: /v1/models
    binaries:
      - { path: /usr/bin/curl }
      - { path: "/usr/bin/python3*" }
      - { path: "/usr/local/bin/python3*" }
      - { path: "/sandbox/.venv/bin/python*" }

  cdn:
    name: cdn
    endpoints:
      - host: code.jquery.com
        port: 443
        protocol: rest
        tls: terminate
        enforcement: enforce
        access: read-only
      - host: 3dmol.org
        port: 443
        protocol: rest
        tls: terminate
        enforcement: enforce
        access: read-only
      - host: unpkg.com
        port: 443
        protocol: rest
        tls: terminate
        enforcement: enforce
        access: read-only
    binaries:
      - { path: /usr/bin/curl }
      - { path: "/usr/bin/python3*" }
      - { path: "/usr/local/bin/python3*" }
      - { path: "/sandbox/.venv/bin/python*" }

  # Setup-only: required during initial sandbox provisioning to clone the repo
  # and install npm packages. Not used at runtime.
  github:
    name: github
    endpoints:
      - host: github.com
        port: 443
        protocol: rest
        tls: terminate
        enforcement: enforce
        access: read-only
      - host: objects.githubusercontent.com
        port: 443
        protocol: rest
        tls: terminate
        enforcement: enforce
        access: read-only
    binaries:
      - { path: /usr/bin/git }
      - { path: /usr/bin/node }
      - { path: /usr/bin/npm }

  # Setup-only: required during initial sandbox provisioning to install
  # openclaw and other npm packages. Not used at runtime.
  npm:
    name: npm
    endpoints:
      - { host: registry.npmjs.org, port: 443 }
    binaries:
      - { path: /usr/bin/npm }
      - { path: /usr/bin/node }

  pypi:
    name: pypi
    endpoints:
      - { host: pypi.org, port: 443 }
      - { host: files.pythonhosted.org, port: 443 }
    binaries:
      - { path: /usr/local/bin/uv }
      - { path: "/sandbox/.uv/python/**" }
chore: Regenerate all playbooks 2026-05-26 18:25:53 +00:00			`# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.`
			`# SPDX-License-Identifier: Apache-2.0`
			`#`
			`# Machine-specific: the openfold3 policy references the Docker bridge IP.`
			`# GB300: Docker bridge 172.18.0.1`
			`# New Station: Docker bridge 172.17.0.1`
			`# Use scripts/gen_sandbox_policy.sh to generate a policy with the correct IP,`
			`# or edit the openfold3 section below before sandbox creation.`

			`version: 1`

			`filesystem_policy:`
			`include_workdir: true`
			`read_only:`
			`- /usr`
			`- /lib`
			`- /proc`
			`- /dev/urandom`
			`- /etc`
			`- /var/log`
			`read_write:`
			`- /tmp`
			`- /sandbox`
			`- /dev/null`

			`landlock:`
			`# NOTE: hard_requirement causes CrashLoopBackOff with the OpenClaw community`
			`# sandbox image (tested on OpenShell 0.0.16 and 0.0.21). The image likely`
			`# references paths that Landlock cannot enforce. Use best_effort until the`
			`# upstream image is updated. All other security controls (L7 enforcement,`
			`# implicit-deny networking, process isolation) remain active.`
			`compatibility: best_effort`

			`process:`
			`run_as_user: sandbox`
			`run_as_group: sandbox`

			`network_policies:`
			`# inference.local is a virtual hostname handled by OpenShell's proxy routing`
			`# layer, NOT by network_policies. The proxy intercepts CONNECT requests,`
			`# TLS-terminates, and routes to the host Ollama. Raw IP endpoints`
			`# (127.0.0.1, 172.x.0.1) cannot work here -- the sandbox CIDR-blocks`
			`# private/loopback ranges regardless of policy entries.`
			`# OpenClaw must use OPENCLAW_HTTPS_PROXY so Node.js routes through the`
			`# proxy where inference.local virtual hostname resolution works.`
			`inference:`
			`name: inference`
			`endpoints:`
			`- host: inference.local`
			`port: 443`
			`binaries:`
			`- { path: /usr/bin/node }`
			`- { path: /usr/bin/curl }`
			`- { path: "/usr/bin/python3*" }`
			`- { path: "/usr/local/bin/python3*" }`
			`- { path: "/sandbox/.venv/bin/python*" }`

			`fhir:`
			`name: fhir`
			`endpoints:`
			`- host: r4.smarthealthit.org`
			`port: 443`
			`protocol: rest`
			`tls: terminate`
			`enforcement: enforce`
			`access: read-only`
			`binaries:`
			`- { path: /usr/bin/curl }`
			`- { path: "/usr/bin/python3*" }`
			`- { path: "/usr/local/bin/python3*" }`
			`- { path: "/sandbox/.venv/bin/python*" }`

			`pubchem:`
			`name: pubchem`
			`endpoints:`
			`- host: pubchem.ncbi.nlm.nih.gov`
			`port: 443`
			`protocol: rest`
			`tls: terminate`
			`enforcement: enforce`
			`access: read-only`
			`binaries:`
			`- { path: /usr/bin/curl }`
			`- { path: "/usr/bin/python3*" }`
			`- { path: "/usr/local/bin/python3*" }`
			`- { path: "/sandbox/.venv/bin/python*" }`

			`openfold3:`
			`name: openfold3`
			`endpoints:`
			`- host: __DOCKER_BRIDGE_IP__`
			`port: 8000`
			`protocol: rest`
			`tls: passthrough`
			`enforcement: enforce`
			`rules:`
			`- allow:`
			`method: POST`
			`path: /biology/openfold/**`
			`- allow:`
			`method: GET`
			`path: /v1/health/*`
			`- allow:`
			`method: GET`
			`path: /v1/models`
			`binaries:`
			`- { path: /usr/bin/curl }`
			`- { path: "/usr/bin/python3*" }`
			`- { path: "/usr/local/bin/python3*" }`
			`- { path: "/sandbox/.venv/bin/python*" }`

			`cdn:`
			`name: cdn`
			`endpoints:`
			`- host: code.jquery.com`
			`port: 443`
			`protocol: rest`
			`tls: terminate`
			`enforcement: enforce`
			`access: read-only`
			`- host: 3dmol.org`
			`port: 443`
			`protocol: rest`
			`tls: terminate`
			`enforcement: enforce`
			`access: read-only`
			`- host: unpkg.com`
			`port: 443`
			`protocol: rest`
			`tls: terminate`
			`enforcement: enforce`
			`access: read-only`
			`binaries:`
			`- { path: /usr/bin/curl }`
			`- { path: "/usr/bin/python3*" }`
			`- { path: "/usr/local/bin/python3*" }`
			`- { path: "/sandbox/.venv/bin/python*" }`

			`# Setup-only: required during initial sandbox provisioning to clone the repo`
			`# and install npm packages. Not used at runtime.`
			`github:`
			`name: github`
			`endpoints:`
			`- host: github.com`
			`port: 443`
			`protocol: rest`
			`tls: terminate`
			`enforcement: enforce`
			`access: read-only`
			`- host: objects.githubusercontent.com`
			`port: 443`
			`protocol: rest`
			`tls: terminate`
			`enforcement: enforce`
			`access: read-only`
			`binaries:`
			`- { path: /usr/bin/git }`
			`- { path: /usr/bin/node }`
			`- { path: /usr/bin/npm }`

			`# Setup-only: required during initial sandbox provisioning to install`
			`# openclaw and other npm packages. Not used at runtime.`
			`npm:`
			`name: npm`
			`endpoints:`
			`- { host: registry.npmjs.org, port: 443 }`
			`binaries:`
			`- { path: /usr/bin/npm }`
			`- { path: /usr/bin/node }`

			`pypi:`
			`name: pypi`
			`endpoints:`
			`- { host: pypi.org, port: 443 }`
			`- { host: files.pythonhosted.org, port: 443 }`
			`binaries:`
			`- { path: /usr/local/bin/uv }`
			`- { path: "/sandbox/.uv/python/**" }`