Oh wow, this looks nicely done! It's also nice that it's cross platform. I've done something similar with https://github.com/Gerharddc/litterbox which takes things a bit further by allowing you to easily sandbox your entire development environment (i.e. IDE and everything) using containers. Unfortunately I have not gotten around to the network sandboxing part though, that seems very tricky to get useful without being too "annoying".
TL;DR: I'm using https://github.com/Gerharddc/litterbox to sandbox all my development these days and have now managed to get the ROCm variant of PyTorch running with GPU access inside a Litterbox. If you'd like to see the details of how to achieve that, this post is for you!
> Every render in this post was made that way. Claude generated the geometry with vcad, imported each STL/GLB into Blender via MCP, set up studio lighting, and rendered to PNG. No human touched Blender.
This seems a bit wasteful to me. Why do you need an LLM to do the part of controlling Blender? Can't normal code be used to automate this instead? And save a scary amount of electricity in the process...
Great writeup! An alternative I have explored (more for defense against supply-chain attacks than for agents admittedly) is to use rootless Podman to get a dev-container-like experience alongside sandboxing. To this end I have built https://github.com/Gerharddc/litterbox (https://litterbox.work/) which greatly simplifies container setup and integrates a special ssh-agent for sandboxing that always prompts the user before signing requests (as to keep your SSH keys safe).
Unfortunately Litterbox won't currently help much for specifically protecting .env files in a project folder though. I'd need to think if the design can be extended for this use-case now that I'm aware of the issue.
Very nice! Quite a coincidence, but the NPM disaster also prompted me to build litterbox.work as a possible solution. It is a very different approach though.
The main reason is that in addition to sandboxing, I also wanted something similar to dev-containers where I can have a reproducible development environment. I guess that can also be achieved with Bubblewrap, but when you want to run containers anyway, it seems silly to not just use Podman.
Very interesting read, I had no idea agents already had so much sandboxing built in! It does seem like this is probably not enough though.
A few months ago I built https://github.com/Gerharddc/litterbox (https://litterbox.work/) primarily to shield my home directory from supply-chain attacks, but I imagine it could be very useful for defending against rogue agents too. Essentially it is a dev-container-like system for Linux built on rootless Podman with a strong focus on isolation and security.
A key difference to normal dev-containers is that it encourages placing your entire dev environment (i.e. also the editor etc.) inside the container so that you are even protected from exploits in editor extensions for instance. This also makes it safer to allow agents (or built tools) to for instance install packages on your system since this is not the "real" system, it is only a container.
Another important feature I added to Litterbox (and one I have not seen before) is a custom SSH agent which always prompts the user to confirm a signing operation through a pop-up. This means that things inside a Litterbox do not have unrestricted access to your normal SSH agent (something which could provide rogue actors access to your Github for instance).
Fair enough, I guess Unix users could indeed get you a long way. I did not really even consider it.
Apart from protecting user files, another goal I had with litterbox.work was to enable reproducible development environments through Dockerfiles and to improve the security of ssh-agent. These still require a bit more than just a new user.
- Most importantly, it exposes a Wayland socket so that I can run my entire dev environment (i.e. editor etc.) inside the container. This gives additional protection against exploits inside editor extensions for instance.
- It also provides a special SSH agent which always prompts the user to confirm a signing operation. This means that an agent or an exploit never gets unsupervised access to your Github for instance.
- It has some additional functions to help with enabling permissions inside the container which are only needed for certain use cases (such as allowing for TUN/TAP device creation).
- It has not been added yet, but I'm working on SELinux integration for even more secure isolation from the host.
reply