feat(sandbox): Add SANDBOX_FLAGS for custom container options (#2036)

Co-authored-by: matt korwel <matt.korwel@gmail.com>

docs/sandbox.md

@@ -77,6 +77,24 @@ Built-in profiles (set via `SEATBELT_PROFILE` env var):
 - `restrictive-open`: Strict restrictions, network allowed
 - `restrictive-closed`: Maximum restrictions
 
+### Custom Sandbox Flags
+
+For container-based sandboxing, you can inject custom flags into the `docker` or `podman` command using the `SANDBOX_FLAGS` environment variable. This is useful for advanced configurations, such as disabling security features for specific use cases.
+
+**Example (Podman)**:
+
+To disable SELinux labeling for volume mounts, you can set the following:
+
+```bash
+export SANDBOX_FLAGS="--security-opt label=disable"
+```
+
+Multiple flags can be provided as a space-separated string:
+
+```bash
+export SANDBOX_FLAGS="--flag1 --flag2=value"
+```
+
 ## Linux UID/GID handling
 
 The sandbox automatically handles user permissions on Linux. Override these permissions with:

packages/cli/src/utils/sandbox.ts

@@ -9,7 +9,7 @@ import os from 'node:os';
 import path from 'node:path';
 import fs from 'node:fs';
 import { readFile } from 'node:fs/promises';
-import { quote } from 'shell-quote';
+import { quote, parse } from 'shell-quote';
 import {
   USER_SETTINGS_DIR,
   SETTINGS_DIRECTORY_NAME,
@@ -399,6 +399,14 @@ export async function start_sandbox(
   // run init binary inside container to forward signals & reap zombies
   const args = ['run', '-i', '--rm', '--init', '--workdir', containerWorkdir];
 
+  // add custom flags from SANDBOX_FLAGS
+  if (process.env.SANDBOX_FLAGS) {
+    const flags = parse(process.env.SANDBOX_FLAGS, process.env).filter(
+      (f): f is string => typeof f === 'string',
+    );
+    args.push(...flags);
+  }
+
   // add TTY only if stdin is TTY as well, i.e. for piped input don't init TTY in container
   if (process.stdin.isTTY) {
     args.push('-t');