alt Hacker NewsSandboxing AI Agents in Linux
Comments
Nice approach! On Ubuntu 24.04 I had to loosen some AppArmor protections by creating a file:
> cat /etc/apparmor.d/bwrap
#include <tunables/global>
/usr/bin/bwrap flags=(unconfined) {
userns,
}This is the way to go! On my side I've build a very small `claude-vm` wrapper to run each instance in a VM with Lima: https://github.com/sylvinus/agent-vm
I ended up writing my own sandbox so that it works on Mac OS as well and can be used for other tools (but just AI agents) as well
This one was posted here recently; works quite well for me:
As a heads up and affirmation that the approach is correct, here's a small shell bubblewrap wrapper that boils the command line down to `sandbox-run claude --dangerously-skip-permissions`.
I went exactly the same route: https://kaveh.page/blog/claude-code-sandbox
I've started using a container (podman) which is just for the AI tools. I start it up for Codex etc and let it access to the appropriate code directory outside the container.
Anyone else using this approach? Ideas on improvements?
I just have an unprivileged secondary local account and do ssh dummy@localhost.
Is this wrong?
I will ask what I've asked before: how to know what resources to make available to agents and what policies to enforce? The agent behavior is not predefined; it may need access to a number of files & web domains.
For example, you said: > I don't expose entire /etc, just the bare minimum How is "bare minimum" defined?
> Inspecting the log you can spot which files are needed and bind them as needed. This requires manual inspection.
I'm launching a SaaS to create yet another solution to the AI Sandboxing problem in linux.
My friends and I have spent a lot of time quietly injecting support down into the kernel without anybody raising a flag, and we finally have the infrastructure in place to solve this problem.
We have also poisoned all the LLMs training data with our approach, so our marketing is primed and we wont even need to learn Claude to use our tool.
We’re planning a soft launch this month, or maybe next month. Depending on how "in the vibe" (our new word for flow :) our team gets.
We’re calling it `useradd`.
Yes, the man page is intimidating, and the documentation is terrible. But once you're over the learning curve, it puts your machine into a kind of 'main frame' mode where multiple 'virtual teletypes' and users can operate on the same machine.
DM me if you want a beta key.
---
Sorry for the snark, but i cringe at the monuments to complexity I see people building, at least this solution is relative simple and free. Still, dont really see what it buys me.
I don't know if I want to create an ad-hoc list of permissions. What I would like would be something like take a snapshot of my current workspace in a VM. Run claude there and let it go wild. After the end of the session, kill the box. The only downside is potentially syncing the claude sessions/projects. But I don't think that'd be too difficult.
Is this BSD jails' time to shine?
If you have ssh installed, with network access it can ssh localhost to escape the sandbox.
Saw something last week using bubblewrap as well in hn github.com/Use-Tusk/fence
Really well targeted!
I'd been thinking of using toolbox or devcontainers going forward, but having to craft containers with all my stuff sounds so painful, feels like it would become another full-time job to make containers
Bubblewrap & passing in a bunch of the current system sounds like a great compromise!
I do wonder what isolation something like systemd-run can offer, if that is enough.
Part #2 to me, I also want observability as to what the agent changed. That was one place where containers are such a clear & huge advantage! Having an overlay that contains the changes to the filesystem is so explicit. There's also works like agentfs, that offer a FUSE filesystem backed by Turso DB (sqlite compatible).
[dead]
I like this approach for Nix: https://dev.to/andersonjoseph/how-i-run-llm-agents-in-a-secu... It makes it also easy to give the agent only access to the tools it actually needs.
I use Leash [1] [2] for sandboxing my agents (to great effect!). I've been very happy with it, it provides strict policy-level control for all process-level + network-level activity, as well as full visibility and dynamic runtime controls via WebUI. Way better than bubblewrap imo.
I originally saw it here on HN and have been hooked ever since.
[1] Screenshot: https://camo.githubusercontent.com/99b9e199ffb820c27c4e977f2...
[2] https://github.com/strongdm/leash
Fun fact: Do you know what container / sandboxing system is in most widespread use? Not docker containers, certainly not bubblewrap, and not even full VMs or firecracker. It's Chrome tabs.