TIL Docker v4.58+ have the `sandbox` subcommand to run commands with restricted filesystem access, ideal for running coding agents in yolo mode (or any other software you can't trust like ghidra or ida)
-
TIL Docker v4.58+ have the `sandbox` subcommand to run commands with restricted filesystem access, ideal for running coding agents in yolo mode (or any other software you can't trust like ghidra or ida)
-
TIL Docker v4.58+ have the `sandbox` subcommand to run commands with restricted filesystem access, ideal for running coding agents in yolo mode (or any other software you can't trust like ghidra or ida)
@pancake How is this different from simply bind mounting your project dir? -
@pancake How is this different from simply bind mounting your project dir?
@buherator it creates a VM for each program you run, the program inside can’t see your system processes and there, and probably the main positive point here is simplicity to use and manage
-
@buherator it creates a VM for each program you run, the program inside can’t see your system processes and there, and probably the main positive point here is simplicity to use and manage
@pancake I get that this is a stronger isolation layer, but why is that necessary? Do agents randomly perform container escapes?
Simplicity is definitely a plus, but that wouldn't require VMs either. -
@pancake I get that this is a stronger isolation layer, but why is that necessary? Do agents randomly perform container escapes?
Simplicity is definitely a plus, but that wouldn't require VMs either.@buherator yep, escaping agent sandbox is a pretty common vuln and all agents are affected because there's literally no way to fix this than just add more checks when a escape is found. and even if you are requested to give permission to a directory, agents can write programs and execute without supervision or with hidden ways which makes it possible to access anything bypassing the classic checks.
-
@buherator yep, escaping agent sandbox is a pretty common vuln and all agents are affected because there's literally no way to fix this than just add more checks when a escape is found. and even if you are requested to give permission to a directory, agents can write programs and execute without supervision or with hidden ways which makes it possible to access anything bypassing the classic checks.
@pancake I think we are talking about different things (please provide a link or stg if I misunderstand). When I just launch claude it can and will write at random FS paths for example, because the process has the privileges to do so. Can it do the same if I launch it in a regular old container where the project directory is mounted (it will have access to everything inside the mount ofc but not my whole ~)? -
@pancake I think we are talking about different things (please provide a link or stg if I misunderstand). When I just launch claude it can and will write at random FS paths for example, because the process has the privileges to do so. Can it do the same if I launch it in a regular old container where the project directory is mounted (it will have access to everything inside the mount ofc but not my whole ~)?
@buherator yes that would be the same if you run the agent inside a docker with a mouted volume. Docker sandbox afaik just makes it easier to use
-
@buherator yes that would be the same if you run the agent inside a docker with a mouted volume. Docker sandbox afaik just makes it easier to use
@pancake Thanks for the clarification! -
TIL Docker v4.58+ have the `sandbox` subcommand to run commands with restricted filesystem access, ideal for running coding agents in yolo mode (or any other software you can't trust like ghidra or ida)
Jk. Docker sandbox only works for real programs. Aka the ones that run in a tty
-
Jk. Docker sandbox only works for real programs. Aka the ones that run in a tty
-
R relay@relay.infosec.exchange shared this topic
