A deep dive on agent sandboxes
4 months ago
- #coding-agents
- #sandboxing
- #security
- Modern coding agents are powerful due to their access permissions, with bash being their most expressive and dangerous tool.
- Running coding agents within virtualization (like containers) is the safest approach, though rarely practiced.
- Command whitelists (seen in Claude Code and Cursor) balance permissions and danger but are brittle and annoying.
- Codex CLI offers three permission modes: Read Only, Auto (current), and Full Access, each with different levels of restrictions.
- Auto mode in Codex is the most interesting, limiting network and workspace-external access without explicit containerization.
- Codex uses macOS Seatbelt and Linux Landlock + seccomp for sandboxing, enforcing restrictions at the OS level.
- The Linux implementation is more complex, using Landlock for filesystem restrictions and seccomp for system call filtering.
- Child process management ensures sandboxed processes are isolated and cleaned up properly, with environment variable control.
- Command whitelisting and trust lists help categorize commands as safe, needing approval, or requiring unsandboxed execution.
- Debugging tools like `codex debug seatbelt` and `codex debug landlock` aid in testing sandboxing behavior.
- OS-native sandboxing in Codex provides good isolation with low overhead, crucial for safe agent execution.