Remix.run Logo
SwellJoe 4 days ago

I was using VMs for agents, but wanted something lighter and faster, so I made flar, which bubblewraps the agent, its config/history and the project directory. The agent runs in your usual environment but has no access to anything other than what it's been explicitly granted, short-circuiting prompt injections (or intentional secret exfiltration on the part of the agent or model) as well as any supply chain exploits the agent might accidentally introduce.

https://github.com/swelljoe/flar

It starts instantly, as it's a namespace, rather than a full VM or container that has to be downloaded/built/updated on start.

It defaults to dangerously skip permissions mode, but is much safer than the very porous sandbox the agents provide, and the agent can't reach outside of it even if told to, by the user or a prompt injection.

hsin003 4 days ago | parent [-]

have you tried lxc + eBPF? the former allows you to have lighter & faster (share kernel) and the latter gives you security. that is what we do for containarium.

SwellJoe 4 days ago | parent [-]

I used lxc many years ago and used to support it in my company's products, but for this use case, bubblewrap is the obvious answer. It's exactly the right balance of isolation and simplicity. Any full container or VM thing is much heavier than a namespace with some bind mounts, which is what bubblewrap does.

I started out implementing it with podnan, but that's also far too heavy and complicated, as you need to equip it for your specific development needs. With bubblewrap (and, thus, flar) you gave your usual environment, the whole OS mounted read only, but anything sensitive in your home or other dirs that might be sensitive is unreachable.