feat: code qa

en/getting-started/install-self-hosted/README.md

@@ -68,6 +68,11 @@ The Dify Self hosted Edition, which is the open-source on [GitHub](https://githu
 
     ![](<../../.gitbook/assets/image (33).png>)
 
+*   **Why is SYS_ADMIN permission needed?**
+        The sandbox service is based on `Seccomp` for sandbox isolation, but also, Docker is based on `Seccomp` for resource isolation. In Docker, Linux Seccomp BPF is disabled by default, which prevents the use of `Seccomp` in containers, so SYS_ADMIN permission is required to enable `Seccomp`.
+
+        As for the security of the sandbox service, we disabled all `file system`, `network`, `IPC`, `PID`, `user`, `mount`, `UTS`, and system access capabilities of all processes in the sandbox to ensure that malicious code is not executed. At the same time, we also isolate the files and network in the container to ensure that even if the code is executed, it cannot harm the system.
+
 ### Contributing
 
 To ensure proper review, all code contributions - including those from contributors with direct commit access - must be submitted via pull requests and approved by the core development team prior to being merged.

zh_CN/learn-more/faq/install-faq.md

@@ -227,4 +227,12 @@ VECTOR_STORE: weaviate
 3. 执行以下命令
 ```
 flask vdb-migrarte # or docker exec -it docker-api-1 flask vdb-migrarte
-```
+```
+
+### 18. 为什么Sandbox需要SYS_ADMIN权限？
+
+#### 为什么需要SYS_ADMIN权限？
+Sandbox基于`Seccomp`进行沙箱隔离，而Docker也是基于`Seccomp`进行资源隔离，并且，在Docker中，Linux Seccomp BPF是被默认禁用的，导致无法在容器中使用`Seccomp`，因此，需要SYS_ADMIN权限来启用`Seccomp`。
+
+#### 安全性问题
+至于安全性问题，我们禁用了Sandbox中所有进程的文件、网络、IPC、PID、用户、mount、UTS、系统访问等能力，以确保恶意代码不会被执行，同时，我们还额外隔离了容器中的文件和网络，以确保在即使代码被执行，也无法对系统造成危害。