🇬🇧 How I Sandbox my AI Agents
https://blog.fidelramos.net/software/how-i-sandbox-ai-agents
🇪🇦 Cómo aislo mis agentes IA
https://blog.fidelramos.net/es/software/how-i-sandbox-ai-agents
I've been using Opencode as my AI coding agent. Very unlike me, I don't have a long list of reasons why I picked it among the many alternatives. I just wanted to get started with an agent system that checked my main requirements: Must be fully open-source. Popular, meaning it's …
@LukefromDC for giggles, I checked in a firejail shell, and /usr/bin/su is owned by nobody.nogroup and only has owner read permissions, so it cannot be exploited via this metod.
If you're using #Linux and unfamiliar with #firejail -- give it a look; it's a nice wrapper that can be used for almost any internet connected app out of the box through a bunch of pre-defined configurations, and anything could be wrapped in it by creating your own custom profile.
It limits what the browser can see on the filesystem, and creates a jail for the program it's used to run.
This is how I use it for librewolf (aka stripped-down firefox):
https://codeberg.org/bobdobberson/tools/src/branch/master/i3-hotkey-firefox#L51-L54
In today’s digital age, web browsers are our primary gateway to the internet—we use them for banking, shopping, social media, and work. Unfortunately, this makes browsers a top target for cybercriminals. Malicious websites, drive-by downloads, exploited plugins, and tracking scripts can compromise your system, steal data, or turn your device into a botnet. While antivirus software and ad-blockers help, they’re not foolproof. A more robust defense is **sandboxing**—isolating applications from the rest of your system to limit damage if they’re compromised. Enter **Firejail**: a lightweight, open-source sandboxing tool designed to restrict applications (especially browsers) using Linux kernel features like namespaces and seccomp. In this guide, we’ll explore why browsers need special protection, how Firejail works, and how to set it up to secure your daily browsing.
https://grapheneos.social/@GrapheneOS/116200213555848065
Graphene has bad things to say about its competitors. What is the Truth?
@postmarketOS
@WeAreFairphone
@linmob
Does GOS' comment have in mind Volla #SailfishOS or UbuntuTouch? I am not a fan of Ubuntu much but love Debian. Volla, however is just way over-priced for most people outside the EU who can not order it anyway. Maybe GOS rates UbuntuTouch as a low grade product.
But Sailfish makes use of #firejail, which is very comprehensive on the command line level. If an app on GOS is not using
Compatibilty Mode, then it might be better off than with firejail or at least on par in terms of sandboxing. There are of course other factors.
Mainly, just wanted to make the point of distinguishing hardware projects from software projects here.
How would you rate Postmarket OS' security strategy (on Fairphone, for example)?
Have you ever been locked-out of your own account "for your protection"? 🤦
🔗 https://tech.michaelaltfield.net/2026/02/03/single-site-browser-firejail-proxychains/
This guide 👆 shows how to setup a Persistent, Sandboxed, Single-Site-Browser using #firejail and #proxychains to minimize the risk of Evil-Corp effectively issuing a #DOS attack against you (due to false positives)
Or how to avoid getting locked-out of another Google Account This guide will describe how to setup a persistent browser (for Evil Corp) that’s isolated in a sandbox (with firejail) and forced to use a SOCKS5 proxy to retain a static IP address (using proxychains) Have you ever been locked out of your own account, and then got an email for your service provider annoyingly letting you know that they’ve “blocked a login attempt — for your protection?“ There’s countless reports of frustrated users who have permanently lost access to their own gmail accounts because of Google’s faulty “fraud protection” systems that locked the account owner out of their own account, due to false-positives. Problem Especially the past 10 years, large corporations have been using machine learning anomaly detection systems on their login pages. Unfortunately, sometimes this is (ab)used to have priority over credential authentication challenges. Even if you enter your username, password, and 2FA credentials correctly on the very first login attempt, you may get locked out of your own account because you “look different” Even if you enter your username, password, and 2FA credentials correctly on the very first login attempt, you may get locked . . . → Read More: Persistent, Sandboxed, Single-Site Browser (firejail and proxychains)
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
Run any Linux process in a secure, unprivileged sandbox using Landlock. Think firejail, but lightweight, user-friendly, and baked into the kernel. - Zouuup/landrun
Fidel Ramos
Pope Bob the Unsane
Jan Antoš
FrankM
Alexandra Beekers 🏳️🌈🌍
The Subliminal Press
Michael Altfield 🛡️
alip
mintbug
Tamás