Matthew Garrett1d ago

You have an agent running on your local system. You want it to have access to a restricted set of things, both locally and remote. What is the technical mechanism you use to ensure that it has a subset of the access that you, as an individual logged into the same system, do?

(I am uninterested in "Don't run an agent" because while yes I see your point that doesn't mean it's not happening and security professionals have to deal with what's happening not what we want to be happening)

Show threadRudolph Bott1d ago

@mjg59 my solution so far (after experimenting with nono.sh): build ad-hoc VMs (with qemu direct kernel boot) and run the agent in there. That way it also can have access to a working docker env if required.

I am planning to replace the iptables-based limited network access with transparent mitmproxy (unless there’s certificate/CA pinning in use).

Show threadRudolph Bott
@mjg59 in my first attempt with nono.sh the agent „found“ the docker socket, spawned a container and mounted the host filesystem to gain access to files it was actually not supposed to access.
Apr 2 at 9:04amWeb
Show threadWill Brien1d ago
@rbo_ne @mjg59 what in the actual hell 😳
Show threadRudolph Bott1d ago

@willb I should add that I specifically tested (in that case) Claude code: I placed a file on my filesystem outside of Claude’s reach (or so I thought) and then instructed it to read its content.

It tried to break out of the jail for 20 minutes until it discovered the docker socket, found a usable image and started a container which mounted the host’s filesystem as a volume.

@mjg59