This document provides a guide to sandboxing in the Gemini CLI, including prerequisites, quickstart, and configuration.
Before using sandboxing, you need to install and set up the Gemini CLI:
npm install -g @google/gemini-cliTo verify the installation:
gemini --versionSandboxing isolates potentially dangerous operations (such as shell commands or file modifications) from your host system, providing a security barrier between AI operations and your environment.
The benefits of sandboxing include:
- Security: Prevent accidental system damage or data loss.
- Isolation: Limit file system access to project directory.
- Consistency: Ensure reproducible environments across different systems.
- Safety: Reduce risk when working with untrusted code or experimental commands.
Your ideal method of sandboxing may differ depending on your platform and your preferred container solution.
Lightweight, built-in sandboxing using sandbox-exec.
Default profile: permissive-open - restricts writes outside project
directory but allows most other operations.
Cross-platform sandboxing with complete process isolation.
Note: Requires building the sandbox image locally or using a published image from your organization's registry.
# Enable sandboxing with command flag
gemini -s -p "analyze the code structure"
# Use environment variable
export GEMINI_SANDBOX=true
gemini -p "run the test suite"
# Configure in settings.json
{
"tools": {
"sandbox": "docker"
}
}- Command flag:
-sor--sandbox - Environment variable:
GEMINI_SANDBOX=true|docker|podman|sandbox-exec - Settings file:
"sandbox": truein thetoolsobject of yoursettings.jsonfile (e.g.,{"tools": {"sandbox": true}}).
Built-in profiles (set via SEATBELT_PROFILE env var):
permissive-open(default): Write restrictions, network allowedpermissive-closed: Write restrictions, no networkpermissive-proxied: Write restrictions, network via proxyrestrictive-open: Strict restrictions, network allowedrestrictive-closed: Maximum restrictions
For container-based sandboxing, you can inject custom flags into the docker or
podman command using the SANDBOX_FLAGS environment variable. This is useful
for advanced configurations, such as disabling security features for specific
use cases.
Example (Podman):
To disable SELinux labeling for volume mounts, you can set the following:
export SANDBOX_FLAGS="--security-opt label=disable"Multiple flags can be provided as a space-separated string:
export SANDBOX_FLAGS="--flag1 --flag2=value"The sandbox automatically handles user permissions on Linux. Override these permissions with:
export SANDBOX_SET_UID_GID=true # Force host UID/GID
export SANDBOX_SET_UID_GID=false # Disable UID/GID mapping"Operation not permitted"
- Operation requires access outside sandbox.
- Try more permissive profile or add mount points.
Missing commands
- Add to custom Dockerfile.
- Install via
sandbox.bashrc.
Network issues
- Check sandbox profile allows network.
- Verify proxy configuration.
DEBUG=1 gemini -s -p "debug command"Note: If you have DEBUG=true in a project's .env file, it won't affect
gemini-cli due to automatic exclusion. Use .gemini/.env files for gemini-cli
specific debug settings.
# Check environment
gemini -s -p "run shell command: env | grep SANDBOX"
# List mounts
gemini -s -p "run shell command: mount | grep workspace"- Sandboxing reduces but doesn't eliminate all risks.
- Use the most restrictive profile that allows your work.
- Container overhead is minimal after first build.
- GUI applications may not work in sandboxes.
- Configuration: Full configuration options.
- Commands: Available commands.
- Troubleshooting: General troubleshooting.