| ▲ | nyrikki 6 hours ago | |
Docker Sandboxes are microVMs. Basically due to many reasons, ld_preload, various containers standards, open desktop, current init systems, widespread behavior from containers images from projects, LSM limitations etc… It is impossible to maintain isolation within an agentic environment, specifically within a specific UID, so the only real option is to leverage the isolation of a VM. I was going to release a PoC related to bwrap/containers etc… but realized even with disclosure it wasn’t going to be fixed. Makes me feel bad, but namespaces were never a security feature, and the tooling has suffered from various parties making locally optimal decisions and no mediation through a third party to drive the ecosystem as a whole. If you are going to implement isolation for agents, I highly suggest you consider micro VMs. | ||
| ▲ | salted-cacao 33 minutes ago | parent [-] | |
Please do release a PoC … I use bubblewrap a lot and would like to know about such problems | ||