pancake 
TIL Docker v4.58+ have the `sandbox` subcommand to run commands with restricted filesystem access, ideal for running coding agents in yolo mode (or any other software you can't trust like ghidra or ida)
buherator
@buherator yep that works but the x11 protocol opens the door to a large set of vulnerabilities. And afaik “docker sandbox” doesnt supports this, you’ll need to cook some docker run oneliners instead
@buherator it creates a VM for each program you run, the program inside can’t see your system processes and there, and probably the main positive point here is simplicity to use and manage
@pancake I get that this is a stronger isolation layer, but why is that necessary? Do agents randomly perform container escapes?
Simplicity is definitely a plus, but that wouldn't require VMs either.
Simplicity is definitely a plus, but that wouldn't require VMs either.
@buherator yep, escaping agent sandbox is a pretty common vuln and all agents are affected because there's literally no way to fix this than just add more checks when a escape is found. and even if you are requested to give permission to a directory, agents can write programs and execute without supervision or with hidden ways which makes it possible to access anything bypassing the classic checks.
@pancake I think we are talking about different things (please provide a link or stg if I misunderstand). When I just launch claude it can and will write at random FS paths for example, because the process has the privileges to do so. Can it do the same if I launch it in a regular old container where the project directory is mounted (it will have access to everything inside the mount ofc but not my whole ~)?