Summary
AGT sandbox providers do not maintain a denylist of commands that cannot be executed inside the sandbox. Prevention of dangerous commands (e.g., az, terraform, kubectl, curl) relies entirely on indirect controls like network egress restrictions and Linux capability drops. There is no explicit command-level enforcement layer.
Current State
- Docker provider drops all capabilities and sets
no-new-privileges, but does not restrict which binaries can be executed inside the container
- Hyperlight provider binds tool allowlists at session creation, but this controls which tools are registered in the guest API, not which system binaries the guest code can invoke
- ACA provider enforces network egress policy but does not restrict command execution
- The
blocked_patterns feature in agent-os scans tool arguments for dangerous strings, but this operates at the host level before sandbox execution, not inside the sandbox
Gap
A tool could invoke os.system('az account list') inside the sandbox. Even if az fails due to network restrictions, the attempt itself is not logged or blocked by AGT. For compliance scenarios, detecting the attempt matters as much as preventing the outcome.
Proposed Solution
- Container-level PATH restriction: build sandbox container images with a minimal PATH containing only allowed binaries (python, cat, echo). Remove or do not install dangerous CLIs.
- Read-only bind mount denylist: mount key system directories read-only and symlink dangerous binaries to
/bin/false or a logging shim.
- AppArmor/SELinux profile: custom profile that denies exec of specific binary paths. Docker provider already sets
apparmor=docker-default (provider.py:1097); this would use a stricter custom profile.
- Execution shim: replace the Python interpreter entry point with a governed wrapper that intercepts
subprocess module calls and checks against the policy before allowing execution.
Files to Modify
agent-sandbox/src/agent_sandbox/docker_provider/provider.py (custom AppArmor profile, PATH restriction)- New:
agent-sandbox/docker/apparmor/agt-sandbox-profile (custom AppArmor profile)
- New:
agent-sandbox/docker/Dockerfile.sandbox (minimal sandbox image)
Summary
AGT sandbox providers do not maintain a denylist of commands that cannot be executed inside the sandbox. Prevention of dangerous commands (e.g.,
az,terraform,kubectl,curl) relies entirely on indirect controls like network egress restrictions and Linux capability drops. There is no explicit command-level enforcement layer.Current State
no-new-privileges, but does not restrict which binaries can be executed inside the containerblocked_patternsfeature in agent-os scans tool arguments for dangerous strings, but this operates at the host level before sandbox execution, not inside the sandboxGap
A tool could invoke
os.system('az account list')inside the sandbox. Even ifazfails due to network restrictions, the attempt itself is not logged or blocked by AGT. For compliance scenarios, detecting the attempt matters as much as preventing the outcome.Proposed Solution
/bin/falseor a logging shim.apparmor=docker-default(provider.py:1097); this would use a stricter custom profile.subprocessmodule calls and checks against the policy before allowing execution.Files to Modify
agent-sandbox/src/agent_sandbox/docker_provider/provider.py(custom AppArmor profile, PATH restriction)agent-sandbox/docker/apparmor/agt-sandbox-profile(custom AppArmor profile)agent-sandbox/docker/Dockerfile.sandbox(minimal sandbox image)