TIL Docker v4.58+ have the `sandbox` subcommand to run commands with restricted filesystem access, ideal for running coding agents in yolo mode (or any other software you can't trust like ghidra or ida)

]]>https://board.circlewithadot.net/topic/3d0d79a7-7dd7-4618-8108-5f41bdc3023f/til-docker-v4.58-have-the-sandbox-subcommand-to-run-commands-with-restricted-filesystem-access-ideal-for-running-coding-agents-in-yolo-mode-or-any-other-software-you-can-t-trust-like-ghidra-or-idaRSS for NodeMon, 06 Apr 2026 09:23:42 GMTMon, 23 Mar 2026 12:20:33 GMT60@pancake How about X11 socket sharing?
https://github.com/v-p-b/binaryninja-docker]]>https://board.circlewithadot.net/post/https://infosec.place/objects/e405b3b7-52ab-4ad1-9cd8-a11d94bdc9a3https://board.circlewithadot.net/post/https://infosec.place/objects/e405b3b7-52ab-4ad1-9cd8-a11d94bdc9a3Mon, 23 Mar 2026 14:31:31 GMTJk. Docker sandbox only works for real programs. Aka the ones that run in a tty

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/pancake/statuses/116278777254721531https://board.circlewithadot.net/post/https://infosec.exchange/users/pancake/statuses/116278777254721531Mon, 23 Mar 2026 13:42:14 GMT@pancake Thanks for the clarification!]]>https://board.circlewithadot.net/post/https://infosec.place/objects/48c34c21-d5df-4ce1-a2e5-a2f059183ed8https://board.circlewithadot.net/post/https://infosec.place/objects/48c34c21-d5df-4ce1-a2e5-a2f059183ed8Mon, 23 Mar 2026 12:57:32 GMT@buherator yes that would be the same if you run the agent inside a docker with a mouted volume. Docker sandbox afaik just makes it easier to use

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/pancake/statuses/116278598568532748https://board.circlewithadot.net/post/https://infosec.exchange/users/pancake/statuses/116278598568532748Mon, 23 Mar 2026 12:56:48 GMT@pancake I think we are talking about different things (please provide a link or stg if I misunderstand). When I just launch claude it can and will write at random FS paths for example, because the process has the privileges to do so. Can it do the same if I launch it in a regular old container where the project directory is mounted (it will have access to everything inside the mount ofc but not my whole ~)?]]>https://board.circlewithadot.net/post/https://infosec.place/objects/ff844532-a26a-4f05-be88-8f478c674bb6https://board.circlewithadot.net/post/https://infosec.place/objects/ff844532-a26a-4f05-be88-8f478c674bb6Mon, 23 Mar 2026 12:44:45 GMT@buherator yep, escaping agent sandbox is a pretty common vuln and all agents are affected because there's literally no way to fix this than just add more checks when a escape is found. and even if you are requested to give permission to a directory, agents can write programs and execute without supervision or with hidden ways which makes it possible to access anything bypassing the classic checks.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/pancake/statuses/116278533777610057https://board.circlewithadot.net/post/https://infosec.exchange/users/pancake/statuses/116278533777610057Mon, 23 Mar 2026 12:40:19 GMT@pancake I get that this is a stronger isolation layer, but why is that necessary? Do agents randomly perform container escapes?

Simplicity is definitely a plus, but that wouldn't require VMs either.]]>https://board.circlewithadot.net/post/https://infosec.place/objects/031603e5-9c09-44d3-91c3-ed0f2b7ae081https://board.circlewithadot.net/post/https://infosec.place/objects/031603e5-9c09-44d3-91c3-ed0f2b7ae081Mon, 23 Mar 2026 12:37:55 GMT@buherator it creates a VM for each program you run, the program inside can’t see your system processes and there, and probably the main positive point here is simplicity to use and manage

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/pancake/statuses/116278485125110413https://board.circlewithadot.net/post/https://infosec.exchange/users/pancake/statuses/116278485125110413Mon, 23 Mar 2026 12:27:57 GMT@pancake How is this different from simply bind mounting your project dir?]]>https://board.circlewithadot.net/post/https://infosec.place/objects/32aa04fa-9e18-45e5-badc-b95f06892d70https://board.circlewithadot.net/post/https://infosec.place/objects/32aa04fa-9e18-45e5-badc-b95f06892d70Mon, 23 Mar 2026 12:23:10 GMT