Matthew Garrett1d ago

You have an agent running on your local system. You want it to have access to a restricted set of things, both locally and remote. What is the technical mechanism you use to ensure that it has a subset of the access that you, as an individual logged into the same system, do?

(I am uninterested in "Don't run an agent" because while yes I see your point that doesn't mean it's not happening and security professionals have to deal with what's happening not what we want to be happening)

Show threadJonathan McDowell1d ago
@mjg59 I think our answer is roughly "the right bpf rules will save us".
Show threadMatthew Garrett1d ago
@noodles I'm more worried about identity rather than local filesystem access, although maybe local filesystem access is a way to constrain identity (until the agent manages to convince a subordinate to just cat its token to stdout)
Show threadAnton Piatek
@mjg59 @noodles our work is deploying a custom mcp proxy so all auth is defined there. Not sure they've actually got a way to stop a load of other mcp tools being registered locally yet though so still doesn't solve the problem
Apr 2 at 12:33pmMoshidon