Skip to content

feat: integrate hypervisor ring enforcement into sandbox providers #2666

Open
Open
feat: integrate hypervisor ring enforcement into sandbox providers#2666
Labels
enhancementNew feature or requestsecuritySecurity-related issues
@imran-siddique

Description

@imran-siddique
imran-siddique
opened on May 29, 2026

Summary

The agent-hypervisor ring enforcement system (RingEnforcer, RingBreachDetector, ActionClassifier) defines resource constraints per execution ring, including subprocess_allowed, network_allowed, and filesystem_scope. However, these constraints are not wired into the sandbox providers (DockerSandboxProvider, HyperLightSandboxProvider, ACASandboxProvider).

Current State

  • agent-hypervisor/src/hypervisor/rings/enforcer.py defines RING_CONSTRAINTS with per-ring ResourceConstraints:
    • Ring 3 (Sandbox): subprocess_allowed=False, network_allowed=False, filesystem_scope='none'
    • Ring 2 (Standard): subprocess_allowed=True, network_allowed=True (allowlisted), filesystem_scope='scoped'
    • Ring 1 (Privileged): full access
    • Ring 0 (Root): system-only, always denied for agents
  • RingEnforcer.check() validates ring-level access and check_resource() validates resource constraints
  • RingBreachDetector monitors for privilege-escalation attempts and trips a circuit breaker on HIGH/CRITICAL
  • Hypervisor core class instantiates RingEnforcer internally (core.py:31-33)
  • None of these are imported or used by any sandbox provider

Gap

When a sandbox provider creates a session or executes code, it does not consult the ring system. A Ring 3 agent's session is not automatically configured with subprocess_allowed=False constraints. The ring data model exists but enforcement is not automatic.

Proposed Solution

  1. Add a ring parameter to SandboxConfig (default: RING_3_SANDBOX)
  2. In each provider's create_session(), map the agent's ring to ResourceConstraints and apply them:
    • Docker: set --security-opt no-new-privileges, drop CAP_SYS_PTRACE, disable network if Ring 3
    • Hyperlight: skip register_tool() for subprocess-capable tools if Ring 3, skip allow_domain() entirely
    • ACA: set defaultAction: Deny with empty rules for Ring 3
  3. In each provider's execute_code(), check RingEnforcer.check_resource(SUBPROCESS) before spawning the execution process
  4. Wire RingBreachDetector into the provider's execution path so repeated violations trip the breaker

Files to Modify

  • agent-sandbox/src/agent_sandbox/sandbox_provider.py (add ring to SandboxConfig)
  • agent-sandbox/src/agent_sandbox/docker_provider/provider.py
  • agent-sandbox/src/agent_sandbox/hyperlight_provider/provider.py
  • agent-sandbox/src/agent_sandbox/aca_sandbox_provider/aca_sandbox_provider.py

Related

  • Ring enforcer: agent-hypervisor/src/hypervisor/rings/enforcer.py
  • Breach detector: agent-hypervisor/src/hypervisor/rings/breach_detector.py

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity-related issues

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions