Remix.run Logo
nyrikki 6 hours ago

Docker Sandboxes are microVMs.

Basically due to many reasons, ld_preload, various containers standards, open desktop, current init systems, widespread behavior from containers images from projects, LSM limitations etc…

It is impossible to maintain isolation within an agentic environment, specifically within a specific UID, so the only real option is to leverage the isolation of a VM.

I was going to release a PoC related to bwrap/containers etc… but realized even with disclosure it wasn’t going to be fixed.

Makes me feel bad, but namespaces were never a security feature, and the tooling has suffered from various parties making locally optimal decisions and no mediation through a third party to drive the ecosystem as a whole.

If you are going to implement isolation for agents, I highly suggest you consider micro VMs.

salted-cacao 33 minutes ago | parent [-]

Please do release a PoC … I use bubblewrap a lot and would like to know about such problems