> But the practical limitation is language support. You cannot run arbitrary Python scripts in WASM today without compiling the Python interpreter itself to WASM along with all its C extensions. For sandboxing arbitrary code in arbitrary languages, WASM is not yet viable.
Is the support for Python code provided as a Rust library by any chance, where you could do something like pass in a simple python function, run it in wasmer, and then get back the result? I know a lot of complications would come into play around supporting C-based dependencies and support for the WASM APIs for stuff like I/O, but I recently was looking into this for a use case where the goal is to be able to prevent stuff like direct use of I/O in favor of only supporting a few specific APIs provided directly to a WASM engine for the code it's executing, and the conclusion I reached was that the only viable options for that currently available would require either shelling out to something external or manually loading in a WASM-compiled interpreter and implementing the glue code to use that to execute Python myself.
syrusakbary 12 hours ago [-]
Not right now but we would love to provide it.
We have been super busy lately, but when we have a chance we will work on it!
saghm 7 hours ago [-]
Totally fair! I definitely understand the struggle of having more things that you want to do than time to work on them, and it's better to focus on the priorities and do them well than rush things just to get more of them done faster. Thanks for the response though; there's enough stuff happening in the WASM ecosystem that I don't always have confidence about whether I missed something!
rcarmo 14 hours ago [-]
Without any restrictions except, well, performance, and still a fair amount of library choices. It’s just easier to use Go (TinyGo, actually) instead.
shayonj 1 days ago [-]
Wasmer looks v cool. I must check it out
saghm 17 hours ago [-]
Can you clarify what your disagreement is? The statement you're responding to seems to be that you can't necessarily run arbitrary code in arbitrary languages because it's only possible if the runtime is supported, and you're giving examples of two specific languages that had explicit extra work done to support them, which sounds pretty much exactly like what they're stating.
From what I can tell, the point they're making is that if you want a sandbox that you can put whatever you want into and have it work without it having explicit support provided for that language in the form of recompiling the runtime, it's not going to work. If someone is expecting to be able to throw stuff they already have into a sandbox as-is and have it work, WASM is not what they're looking for (at least not today).
simonw 10 hours ago [-]
It used Python as an example of why "For sandboxing arbitrary code in arbitrary languages, WASM is not yet viable." - but Python in WASM works really well, as do other languages where the interpreter can be compiled to WASM.
So while the statement is technically true that you can't run "arbitrary code in arbitrary languages", the practical reality is that for many languages WASM is a great solution despite that.
saghm 7 hours ago [-]
Looking again at the article though, it seems like they've added a paragraph after that references your response. The paragraph you quoted from isn't marked as edited, so I'm not sure if this was there before, but at least right now there's additional context coming immediately after your quote that I feel like conveys more nuance than it seems like you're addressing:
> For sandboxing arbitrary code in arbitrary languages, WASM is not yet viable. For sandboxing code you control the toolchain for, it is excellent.
That sounds pretty definitively like they're saying it is a great practical solution for many cases, not "ruling it out" like you mentioned in your top-level comment. It sounds more like they're saying it's not currently a black-box that you can run arbitrary code in, which is what some people might want in a sandbox.
simonw 6 hours ago [-]
> It sounds more like they're saying it's not currently a black-box that you can run arbitrary code in, which is what some people might want in a sandbox.
Yes, that's exactly what they are saying and it's true.
My comment (which they took on board) was to point out that, despite that, Python and JavaScript in WASM works really well if you take the extra steps of including a WASM-compiled build of the relevant interpreters.
I stand by my advice in this line:
> So don't rule out WASM as a target for running non-compiled languages, it can work pretty well!
You shouldn't rule out WASM for this purpose! I think it's likely people could read their original article and come to the wrong conclusion about that.
saghm 2 hours ago [-]
> I think it's likely people could read their original article and come to the wrong conclusion about that.
Fair enough; I think that's the part that I was missing. I might have been biased from having looked into this for Python recently and having a fairly high confidence in what those extra steps are, which could have made me overlook that others might not realize that those extra steps are even possible.
shayonj 1 days ago [-]
That is a good call out and I missed to consider the options you pointed. When I am back on keyboard I will add an updated note with a link to your comment. Thank you!
pash 1 days ago [-]
OK, let’s survey how everybody is sandboxing their AI coding agents in early 2026.
What I’ve seen suggests the most common answers are (a) “containers” and (b) “YOLO!” (maybe adding, “Please play nice, agent.”).
One approach that I’m about to try is Sandvault [0] (macOS only), which uses the good old Unix user system together with some added precautions. Basically, give an agent its own unprivileged user account and interact with it via sudo, SSH, and shared directories.
I use KVM/QEMU on Linux. I have a set of scripts that I use to create a new directory with a VM project and that also installs a debian image for the VM. I have an ./pull_from_vm and ./push_to_vm that I use to pull and push the git code to and from the vm. As well as a ./claude to start claude on the vm and a ./emacs to initialize and start emacs on the vm after syncing my local .spacemacs directory to the vm (I like this because of customized emacs muscle memory and because I worry that emacs can execute arbitrary code if I use it to ssh to the VM client from my host).
I try not to run LLM's directly on my own host. The only exception I have is that I do use https://github.com/karthink/gptel on my own machine, because it is just too damn useful. I hope I don't self own myself with that someday.
I'm mainly addressing sandboxing by running stuff in Claude Code for web, at which point it's Anthropic's problem if they have a sandbox leak, not mine.
It helps that most of my projects are open source so I don't need to worry about prompt injection code stealing vulnerabilities. That way the worst that can happen would be an attack adding a vulnerability to my code that I don't spot when I review the PR.
And turning off outbound networking should protect against code stealing too... but I allow access to everything because I don't need to worry about code stealing and that way Claude can install things and run benchmarks and generally do all sorts of other useful bits and pieces.
Containers here, though I don't run Claude Code within containers, nor do I pass `--dangerously-skip-permissions`. Instead, I provide a way for agents to run commands within containers.
These containers only have the worker agent's workspace and some caching dirs (e.g. GOMODCACHE) mounted, and by default have `--network none` set. (Some commands, like `go mod download`, can be explicitly exempted to have network access.)
I also use per-skill hooks to enforce more filesystem isolation and check if an agent attempts to run e.g. `go build`, and tell it to run `aww exec go build` instead. (AWW is the name of the agent workflow system I've been developing over the past month—"Agent Workflow Wrangler.")
This feels like a pragmatic setup. I'm sure it's not riskless, but hopefully it does enough to mitigate the worst risks. I may yet go back to running Claude Code in a dedicated VM, along with the containerized commands, to add yet another layer of isolation.
Grauwolf 6 hours ago [-]
I use either QEMU VMs or my own sandbox-run [0] (a bubblewrap wrapper) for isolation, depending on the use case.
Can run anything from a busybox in WASM to a full cloud VM. Agent just sees a shell.
beepbooptheory 20 hours ago [-]
This seems to be billed as a MCP server for making sandbox containers... right? Doesn't this kind of miss the whole point?
"Make me a sandbox for yourself! Make sure its really secure!"
scosman 11 hours ago [-]
The sandboxing options are set when you connect the MCP to the agent, not by the agent passing params about its own sandbox.
There’s a misconception about the right security boundary for agents. The agent code needs secrets (API keys, prompts, code) and the network (docs, other use cases). Wrapping the whole agent in a container puts secrets, network access, and arbitrary agent cli execution into the same host OS.
If you sandbox just the agent’s CLI access, then it’s can’t access its own API keys/code/host-OS/etc.
athrowaway3z 13 hours ago [-]
Dedicate user account.
That's not to say I don't use bwrap.
But I use that specifically to run 'user-emulation' stories where an agent starts in their own `~/` environment with my tarball at ~/Downloads/app.tar.gz, and has to find its way through the docs / code / cli's and report on the experience.
davidcann 22 hours ago [-]
My app is a macOS terminal wrapper with nice GUI for sandbox-exec and network sandbox. I just added a vertical tabs option too. https://multitui.com
netcoyote 24 hours ago [-]
Sandvault author here: thanks for the shout-out!
I would add that in addition to Unix permissions, sandvault also utilizes macOS sandbox-exec to further limit the blast radius.
8n4vidtmkvmk 15 hours ago [-]
I've been using nsjail, which i guess employs several of these techniques.
1 days ago [-]
burntcaramel 23 hours ago [-]
WebAssembly is particularly attractive for agentic coding because prompting it to write Zig or C is no harder than prompting it to write JavaScript. So you can get the authoring speed of a scripting language via LLMs but the performance close to native via wasm.
This is the approach I’m using for my open source project qip that lets you pipeline wasm modules together to process text, images & data: https://github.com/royalicing/qip
qip modules follow a really simple contract: there’s some input provided to the WebAssembly module, and there’s some output it produces. They can’t access fs/net/time. You can pipe in from your other CLIs though, e.g. from curl.
I have example modules for markdown-to-html, bmp-to-ico (great for favicons), ical events, a basic svg rasterizer, and a static site builder. You compose them together and then can run them on the command line, in the browser, or in the provided dev server. Because the module contract is so simple they’ll work on native too.
skybrian 17 hours ago [-]
An advantage of running a coding agent in a VM is that to answer your question, it can install arbitrary software into the VM. (For example, running apt-get or using curl to install a specialized tool.) WebAssembly seems suitable for more specialized agents where you already know what software it will need?
int0x29 1 days ago [-]
Its worth pointing out another boundary: speculative execution. If sensitive data is in process memory with a WASM VM it can be read even if the VM doesn't expose it. This is also true of multiple WASM VMs running for different parties. For WASM isolation to work the VM needs to be in a seperate process
coppsilgold 18 hours ago [-]
The difference between gVisor and a microVM isn't very large.
gVisor can even use KVM.
What gVisor doesn't have is the big Linux kernel, it attempts to roll a subset of it on its own in Go. And while doing so it allows for more convenient (from the host side) resource management.
Imagine taking the Linux kernel and starting to modify it to have a guest VM mode (memory management merged with the host, sockets passed through, file systems coupled closer etc). As you progress along that axis you will eventually end up as a gVisor clone.
Ultimately what all these approaches attempt to do is to narrow the interface between the jailed process as the host kernel. Because the default interface is vast. Makes you wonder if we will ever have a kernel with a narrow interface by default, a RISC-like syscall movement for kernels.
diacritical 1 days ago [-]
Is there anything more secure than Qubes, assuming enough hardware resources? I'm asking about existing solutions, not theoretical ones. Given its track record so far, I'm betting not, but I'd love to be proven wrong. Adding sandboxing within a VM or hardening it should add more security, but overall I think this is the right approach for anyone who can afford a decent computer.
The attack surface of Xen, the current hypervisor of Qubes, is smaller compared to browsers and OSes that have 0days pathed several times a year. Even most Xen vulns don't affect Qubes.
I just can't imagine putting my whole digital life in one "normal" OS and hoping that the OS or browser security will keep me safe. I'm mentioning the browser because a lot what used to be in the OS is now in the browser, so it's functionally like another OS.
From a usability point of view it's also useful as I can have different environments. Not only different tools in each VM which means I can pretty much forget about dependency issues, but also different data in each VM. If I wanted, I could run any agent or malware on a VM and the exposure would only be whatever data I chose to put in that VM.
Of course, if you're not passing data between certain VMs, you could use different computers for an even better security.
mentalgear 12 hours ago [-]
Took a quick look, and indeed sounds like QubesOS is the ultimate sandbox for developers in the age of LLMs.
lox 16 hours ago [-]
It's amazing how many different implementations of sandboxes have popped up in the past few weeks.
I'm CTO at Buildkite, have been noodling on one with a view to have an environment that can run CI workloads and Agentic ones https://github.com/buildkite/cleanroom
shayonj 12 hours ago [-]
Heya! nice to see you here. In retrospect it feels like CI companies and environments are very well suited for sandboxes since a lot of the problems overlap around ephemeral workloads, running untrusted code, fast cold starts, multi-tenancy isolation. Also, loved Buildkite at a past job! Looking forward to following cleanroom
grouchypumpkin 1 days ago [-]
QubesOS was built to give sandboxes kernel isolation via a hypervisor.
It’s not surprising that most people don’t know about it, because QubesOS as a daily driver can be painful. But with some improvements, I think it’s the right way to do it.
diacritical 1 days ago [-]
Just posted about Qubes a minute after you did, but I don't find it painful or even time consuming. Initially there was a learning curve, but even if the security of Qubes became the same as the security of a baremetal OS, I would still use it.
When I'm trying to get some software up and running, I've had issues with Debian many times, as well as with Fedora. Rarely with both. With Qubes after a few minutes of trying on Debian and running into some obscure errors, I can just say "fuck it" and try with Fedora, or vice versa. Over the years it has saved me more time than the time I've invested it learning how Qubes works or dealing with Qubes-specific issues.
I also don't have to care about polluting my OS with various software and running into a dependency hell.
If a VM crashes or hangs, it's usually OK, as it's just a VM.
It's much easier to run Whonix or VPNs without worrying for IP leaks.
mentalgear 12 hours ago [-]
This is great insight - using Qubes as a "Super-OS" over other OSes. How does it fly performance-wise, what HW are you on or recommend ?
adamgold7 13 hours ago [-]
We've been working on exactly this at Islo. Zero-setup microVM sandboxes with isolated networking by default, plus an approval workflow layer so agents can request capabilities and humans approve/deny in real-time.
The credential problem is handled through proxy middleware - agents never see real tokens, requests get routed through policy-checked proxies that inject credentials only for approved operations.
Is there only a cloud-based mode for Islo, or can I run this entirely on my laptop?
niobe 24 hours ago [-]
The entire kernel on every arch is 40 million lines, but the kernel running on your desktop is probably less than 2 million of those lines.
bluelightning2k 1 days ago [-]
Good write up. I was hoping to see V8 isolates (Cloudflare workers) as part of the comparison at I've always found that interesting.
shayonj 22 hours ago [-]
That’s a good shout! I have been curious as well and did some experiments. Also left out GPU sandboxing from the post as well. Maybe will reflect in a part II post.
0xbadcafebee 19 hours ago [-]
A VM is table stakes for isolation. Nothing OS-level is going to prevent breaking out, the attack surface is too big and none of the common OSes are hardened enough. But also missing here is the firewall, which you need to prevent both data exfil and remote code execution from prompt injection. And the final part that's missing, is segregating all credentials from the agent's execution environment, which I don't think there's any existing solution for yet. Likely this will be either MCPs, or transparent proxies with policy engines that execute requests from tool calls.
Etheryte 18 hours ago [-]
The final part is a long solved problem, pass in mock tokens, pass all requests through a proxy, only swap in the real tokens if the request matches whatever filtering requirements you have.
shayonj 9 hours ago [-]
This is going to be an interesting space to watch I think and big part of offering sandbox as a service basically for enterprise and saas needs.
mmastrac 18 hours ago [-]
I believe deno literally shipped that final part a few weeks back.
mcfig 1 days ago [-]
I appreciate the details in this, but I also notice it is very machine-focused. When a user wants to sandbox an AI agent, they don’t just want their local .ssh keys protected. They also want to be able to control access to a lot of off-machine resources - e.g. allowing the agent to read github issues and sometimes also make some kinds of changes.
athrowaway3z 13 hours ago [-]
It only mentions 'user' isolation once in a table?
Giving agents their own user account is my go-to solution and solves all my practical problems with by far the oldest, well documented, and simplest isolation mechanism.
m132 22 hours ago [-]
> The trade-off versus gVisor is that microVMs have higher per-instance overhead but stronger, hardware-enforced isolation.
Having worked on kernel and hypervisor code, I really don't see much of a difference in terms of isolation. Could you elaborate on this?
shayonj 12 hours ago [-]
Yeah, it's hard to hit the right balance with nuance around these and you're spot on. What I meant to get at was the specific difference in default modes where gVisor's systrap intercepts syscalls via seccomp traps and handles them entirely in a user-space Go kernel, so there's no hardware isolation boundary in the memory/execution sense. A microVM puts the guest in a VT-x/EPT-isolated address space, which is a qualitative difference in what enforces the boundary (perhaps?)
Whereas yeah, you can run gVisor in KVM mode where it does use hardware virtualization, and at that point the isolation boundary is much closer to a microVM's. I believe the real difference then becomes more about what's on either side of that boundary where gVisor gives you a memory-safe Go kernel making ~70 host syscalls, a microVM gives you a full guest Linux kernel behind a minimal VMM. So at least in my mind it comes down to a bit of around different trust chains, not necessarily one strictly stronger than the other.
m132 6 hours ago [-]
I see this "hardware isolation" benefit of virtual machines brought up a lot, but if you look a little deeper into it, putting that label exclusively on VMs is very much unfair.
Just like containers, VMs are very loosely defined and, under the hood, composed of mechanisms that can be used in isolation (paging, trapping, IOMMU vs individual cgroups and namespaces). It's those mechanisms that give you the actual security benefits.
And most of them are used outside of VMs, to isolate processes on a bare kernel. The system call/software interrupt trapping and "regular" virtual memory of gVisor (or even a bare Linux kernel) are just as much of a "hardware boundary" as the hyper calls and SLAT virtual memory are in the case of VMs, just without the hacks needed to make the isolated side believe it's in control of real hardware. One traps into Sentry, the other traps into QEMU, but ultimately, both are user-space processes running on the host kernel. And they themselves are isolated, using the same very primitives, by the host kernel.
As you clarified here, the real difference lies in what's on the other side of these boundaries. gVisor will probably have some more overhead, at least in the systrap mode, as every trapped call has to go through the host kernel's dispatcher before landing in Sentry. QEMU/KVM has this benefit of letting the guest's user-space call the guest kernel directly, and only the kernel typically can then call QEMU. The attack surface, too, differs a lot in both cases. gVisor is a niche Google project, KVM is a business-critical component of many public cloud providers.
It may sound like I'm nitpicking, but I believe that it's important to understand this to make an informed decision and avoid the mistake of stacking up useless layers, as it is plaguing today's software engineering.
Thanks for your reply and post by the way! I was looking for something like gVisor.
orangea 21 hours ago [-]
The first half of the article says "namespaces, cgroups, and seccomp aren't 'security boundaries' because if the kernel had a bug it could be used to escape from a sandbox". Then in the second half it says "use gvisor and do all this other stuff to avoid these problems." This presentation feels kind of dishonest to me because the article avoids acknowledging the obvious question: "well what if gvisor has a bug then?" I mean, sure, another layer of sandboxing that is simpler than the other layers probably increases security, but let's not pretend like these are fundamentally different approaches.
shayonj 21 hours ago [-]
It touches in the gvisor section around the trade-off that the surface area for gvisor is smaller. There are trade offs. It’s not dishonest.
CuriouslyC 1 days ago [-]
Sandbox isolation is only slightly important, you don't need to make it fancy, just a plain old VM. The really important thing is how you control capabilities you give for the agent to act on your behalf.
yoyohello13 1 days ago [-]
But managing granular permissions is hard. The common denominator with all these discussions is people want to apply the minimal amount of thinking possible.
jbverschoor 1 days ago [-]
1) can access/write local files?
2) can access/write a specific folder?
3) can access network?
4) can access gateway/internet?
5) can access local network? (vlans would help here)
6) give access to USB devices
7) needs access to the screen? -> giveframebuffer access / drawing primitive
8) Need to write? Use an overlay FS that can be checked by the host and approved
9) sub processes can never escalate permissions
By default: nothing. But unfortunately, it’s always by default allow.
Also, make it simple to remove the permissions again.
noperator 1 days ago [-]
> compute isolation means nothing if the sandbox can freely phone home.
Here's a project I've been working on to address the network risk. Uses nftables firewall allowing outbound traffic only to an explicit pinned domain allowlist (continuously refreshes DNS resolutions in the background).
Sharing my 5 cents on the matter: in another world, gaming, where embedding scripting languages is done for modding, I hope to see WASM take off as a way for modern modders to get into game development.
I've seen smaller developers experimenting with this, but haven't heard of larger orgs doing it, possibly because UGC took the place of modders as well, and I come from an older world where what developers of my time 20 years ago would have had their hands on was an actual SDK that wasn't a part of a long microtransaction pipeline.
In my org's case, where we built an entire game engine off Lua, and previously had done Lua integration in the Source Engine, I would have loved to have had sandboxing from the start rather than trying to think about security after the fact.
To the article's point: even if you were to sandboxing today in those environments, I suspect you'd be faster than some of the fastest embedded scripting languages because they're just that slow.
dividuum 8 hours ago [-]
Flight Simulator uses WASM.
Rendered at 23:04:37 GMT+0000 (Coordinated Universal Time) with Vercel.
> But the practical limitation is language support. You cannot run arbitrary Python scripts in WASM today without compiling the Python interpreter itself to WASM along with all its C extensions. For sandboxing arbitrary code in arbitrary languages, WASM is not yet viable.
There are several versions of the Python interpreter that are compiled to WASM already - Pyodide has one, and WASM is a "Tier 2" supported target for CPython: https://peps.python.org/pep-0011/#tier-2 - unofficial builds here: https://github.com/brettcannon/cpython-wasi-build/releases
Likewise I've experimented with running various JavaScript interpreters compiled to WASM, the most popular of those is probably QuickJS. Here's one of my many demos: https://tools.simonwillison.net/quickjs (I have one for MicroQuickJS too https://tools.simonwillison.net/microquickjs )
So don't rule out WASM as a target for running non-compiled languages, it can work pretty well!
Wasmer can run now Python server-side without any restrictions (including gevent, SQLAlchemy and native modules!) [1] [2]
Also, cool things are coming on the JS land running on Wasmer :)
[1] https://wasmer.io/posts/greenlet-support-python-wasm
[2] https://wasmer.io/posts/python-on-the-edge-powered-by-webass...
We have been super busy lately, but when we have a chance we will work on it!
From what I can tell, the point they're making is that if you want a sandbox that you can put whatever you want into and have it work without it having explicit support provided for that language in the form of recompiling the runtime, it's not going to work. If someone is expecting to be able to throw stuff they already have into a sandbox as-is and have it work, WASM is not what they're looking for (at least not today).
So while the statement is technically true that you can't run "arbitrary code in arbitrary languages", the practical reality is that for many languages WASM is a great solution despite that.
> For sandboxing arbitrary code in arbitrary languages, WASM is not yet viable. For sandboxing code you control the toolchain for, it is excellent.
That sounds pretty definitively like they're saying it is a great practical solution for many cases, not "ruling it out" like you mentioned in your top-level comment. It sounds more like they're saying it's not currently a black-box that you can run arbitrary code in, which is what some people might want in a sandbox.
Yes, that's exactly what they are saying and it's true.
My comment (which they took on board) was to point out that, despite that, Python and JavaScript in WASM works really well if you take the extra steps of including a WASM-compiled build of the relevant interpreters.
I stand by my advice in this line:
> So don't rule out WASM as a target for running non-compiled languages, it can work pretty well!
You shouldn't rule out WASM for this purpose! I think it's likely people could read their original article and come to the wrong conclusion about that.
Fair enough; I think that's the part that I was missing. I might have been biased from having looked into this for Python recently and having a fairly high confidence in what those extra steps are, which could have made me overlook that others might not realize that those extra steps are even possible.
What I’ve seen suggests the most common answers are (a) “containers” and (b) “YOLO!” (maybe adding, “Please play nice, agent.”).
One approach that I’m about to try is Sandvault [0] (macOS only), which uses the good old Unix user system together with some added precautions. Basically, give an agent its own unprivileged user account and interact with it via sudo, SSH, and shared directories.
0. https://github.com/webcoyote/sandvault
I try not to run LLM's directly on my own host. The only exception I have is that I do use https://github.com/karthink/gptel on my own machine, because it is just too damn useful. I hope I don't self own myself with that someday.
https://github.com/jgbrwn/vibebin
It helps that most of my projects are open source so I don't need to worry about prompt injection code stealing vulnerabilities. That way the worst that can happen would be an attack adding a vulnerability to my code that I don't spot when I review the PR.
And turning off outbound networking should protect against code stealing too... but I allow access to everything because I don't need to worry about code stealing and that way Claude can install things and run benchmarks and generally do all sorts of other useful bits and pieces.
I already have a couple folks using it for claude: https://github.com/smol-machines/smolvm/discussions/3
Unfortunately, the ecosystem and tooling is not there for macOS full paravirtualization yet
https://github.com/jrz/container-shell
These containers only have the worker agent's workspace and some caching dirs (e.g. GOMODCACHE) mounted, and by default have `--network none` set. (Some commands, like `go mod download`, can be explicitly exempted to have network access.)
I also use per-skill hooks to enforce more filesystem isolation and check if an agent attempts to run e.g. `go build`, and tell it to run `aww exec go build` instead. (AWW is the name of the agent workflow system I've been developing over the past month—"Agent Workflow Wrangler.")
This feels like a pragmatic setup. I'm sure it's not riskless, but hopefully it does enough to mitigate the worst risks. I may yet go back to running Claude Code in a dedicated VM, along with the containerized commands, to add yet another layer of isolation.
[0] https://codeberg.org/Grauwolf/sandbox-run
https://github.com/Kiln-AI/Kilntainers
Can run anything from a busybox in WASM to a full cloud VM. Agent just sees a shell.
"Make me a sandbox for yourself! Make sure its really secure!"
There’s a misconception about the right security boundary for agents. The agent code needs secrets (API keys, prompts, code) and the network (docs, other use cases). Wrapping the whole agent in a container puts secrets, network access, and arbitrary agent cli execution into the same host OS.
If you sandbox just the agent’s CLI access, then it’s can’t access its own API keys/code/host-OS/etc.
That's not to say I don't use bwrap.
But I use that specifically to run 'user-emulation' stories where an agent starts in their own `~/` environment with my tarball at ~/Downloads/app.tar.gz, and has to find its way through the docs / code / cli's and report on the experience.
I would add that in addition to Unix permissions, sandvault also utilizes macOS sandbox-exec to further limit the blast radius.
This is the approach I’m using for my open source project qip that lets you pipeline wasm modules together to process text, images & data: https://github.com/royalicing/qip
qip modules follow a really simple contract: there’s some input provided to the WebAssembly module, and there’s some output it produces. They can’t access fs/net/time. You can pipe in from your other CLIs though, e.g. from curl.
I have example modules for markdown-to-html, bmp-to-ico (great for favicons), ical events, a basic svg rasterizer, and a static site builder. You compose them together and then can run them on the command line, in the browser, or in the provided dev server. Because the module contract is so simple they’ll work on native too.
gVisor can even use KVM.
What gVisor doesn't have is the big Linux kernel, it attempts to roll a subset of it on its own in Go. And while doing so it allows for more convenient (from the host side) resource management.
Imagine taking the Linux kernel and starting to modify it to have a guest VM mode (memory management merged with the host, sockets passed through, file systems coupled closer etc). As you progress along that axis you will eventually end up as a gVisor clone.
Ultimately what all these approaches attempt to do is to narrow the interface between the jailed process as the host kernel. Because the default interface is vast. Makes you wonder if we will ever have a kernel with a narrow interface by default, a RISC-like syscall movement for kernels.
The attack surface of Xen, the current hypervisor of Qubes, is smaller compared to browsers and OSes that have 0days pathed several times a year. Even most Xen vulns don't affect Qubes.
I just can't imagine putting my whole digital life in one "normal" OS and hoping that the OS or browser security will keep me safe. I'm mentioning the browser because a lot what used to be in the OS is now in the browser, so it's functionally like another OS.
From a usability point of view it's also useful as I can have different environments. Not only different tools in each VM which means I can pretty much forget about dependency issues, but also different data in each VM. If I wanted, I could run any agent or malware on a VM and the exposure would only be whatever data I chose to put in that VM.
Of course, if you're not passing data between certain VMs, you could use different computers for an even better security.
I'm CTO at Buildkite, have been noodling on one with a view to have an environment that can run CI workloads and Agentic ones https://github.com/buildkite/cleanroom
It’s not surprising that most people don’t know about it, because QubesOS as a daily driver can be painful. But with some improvements, I think it’s the right way to do it.
When I'm trying to get some software up and running, I've had issues with Debian many times, as well as with Fedora. Rarely with both. With Qubes after a few minutes of trying on Debian and running into some obscure errors, I can just say "fuck it" and try with Fedora, or vice versa. Over the years it has saved me more time than the time I've invested it learning how Qubes works or dealing with Qubes-specific issues.
I also don't have to care about polluting my OS with various software and running into a dependency hell.
If a VM crashes or hangs, it's usually OK, as it's just a VM.
It's much easier to run Whonix or VPNs without worrying for IP leaks.
The credential problem is handled through proxy middleware - agents never see real tokens, requests get routed through policy-checked proxies that inject credentials only for approved operations.
Happy to share more: https://islo.dev
Giving agents their own user account is my go-to solution and solves all my practical problems with by far the oldest, well documented, and simplest isolation mechanism.
Having worked on kernel and hypervisor code, I really don't see much of a difference in terms of isolation. Could you elaborate on this?
Whereas yeah, you can run gVisor in KVM mode where it does use hardware virtualization, and at that point the isolation boundary is much closer to a microVM's. I believe the real difference then becomes more about what's on either side of that boundary where gVisor gives you a memory-safe Go kernel making ~70 host syscalls, a microVM gives you a full guest Linux kernel behind a minimal VMM. So at least in my mind it comes down to a bit of around different trust chains, not necessarily one strictly stronger than the other.
Just like containers, VMs are very loosely defined and, under the hood, composed of mechanisms that can be used in isolation (paging, trapping, IOMMU vs individual cgroups and namespaces). It's those mechanisms that give you the actual security benefits.
And most of them are used outside of VMs, to isolate processes on a bare kernel. The system call/software interrupt trapping and "regular" virtual memory of gVisor (or even a bare Linux kernel) are just as much of a "hardware boundary" as the hyper calls and SLAT virtual memory are in the case of VMs, just without the hacks needed to make the isolated side believe it's in control of real hardware. One traps into Sentry, the other traps into QEMU, but ultimately, both are user-space processes running on the host kernel. And they themselves are isolated, using the same very primitives, by the host kernel.
As you clarified here, the real difference lies in what's on the other side of these boundaries. gVisor will probably have some more overhead, at least in the systrap mode, as every trapped call has to go through the host kernel's dispatcher before landing in Sentry. QEMU/KVM has this benefit of letting the guest's user-space call the guest kernel directly, and only the kernel typically can then call QEMU. The attack surface, too, differs a lot in both cases. gVisor is a niche Google project, KVM is a business-critical component of many public cloud providers.
It may sound like I'm nitpicking, but I believe that it's important to understand this to make an informed decision and avoid the mistake of stacking up useless layers, as it is plaguing today's software engineering.
Thanks for your reply and post by the way! I was looking for something like gVisor.
2) can access/write a specific folder?
3) can access network?
4) can access gateway/internet?
5) can access local network? (vlans would help here)
6) give access to USB devices
7) needs access to the screen? -> giveframebuffer access / drawing primitive
8) Need to write? Use an overlay FS that can be checked by the host and approved
9) sub processes can never escalate permissions
By default: nothing. But unfortunately, it’s always by default allow.
Also, make it simple to remove the permissions again.
Here's a project I've been working on to address the network risk. Uses nftables firewall allowing outbound traffic only to an explicit pinned domain allowlist (continuously refreshes DNS resolutions in the background).
https://github.com/noperator/cagent
I've seen smaller developers experimenting with this, but haven't heard of larger orgs doing it, possibly because UGC took the place of modders as well, and I come from an older world where what developers of my time 20 years ago would have had their hands on was an actual SDK that wasn't a part of a long microtransaction pipeline.
In my org's case, where we built an entire game engine off Lua, and previously had done Lua integration in the Source Engine, I would have loved to have had sandboxing from the start rather than trying to think about security after the fact.
To the article's point: even if you were to sandboxing today in those environments, I suspect you'd be faster than some of the fastest embedded scripting languages because they're just that slow.