Show HN: Minimal Linux sandboxes to manage AI-Generated Code with ease
agentjail is a beta tool that provides minimal Linux sandboxes for securely running untrusted code, such as AI-generated scripts or npm packages, using kernel-level isolation. It leverages namespaces, seccomp filters, cgroups, and Landlock to restrict access to system resources and prevent privilege escalation. The tool is designed without a daemon or setuid helpers, aiming to offer strong security guarantees on Linux 5.13+ systems.
- ▪agentjail uses Linux namespaces, pivot_root, seccomp, cgroups, and Landlock to isolate untrusted code in a minimal environment.
- ▪It blocks dangerous syscalls like ptrace, mount, and chroot, and restricts network access via an in-process HTTP CONNECT proxy with domain allowlisting.
- ▪The tool requires Linux ≥ 5.13, cgroup v2, user namespaces, and currently supports presets for build, install, agent, GPU, and development workloads.
- ▪Resource limits include memory, CPU, PIDs, and disk I/O, with a barrier pipe ensuring cgroups are applied before process startup.
- ▪agentjail is available as a Rust crate and supports real-time monitoring, event streaming, and snapshotting of jailed processes.
Opening excerpt (first ~120 words) tap to expand
agentjail Minimal Linux sandboxes for running untrusted code. Why Model-generated code, npm install on a fresh repo, a PR's test suite, an MCP tool the agent picked — all run as you, on your kernel. They can read ~/.ssh, fork-bomb the host, dial any IP, spawn a reverse shell. Docker isn't a sandbox. nobody isn't a sandbox. agentjail is. One jail is one child process inside fresh Linux namespaces, pivot-rooted into a minimal rootfs, seccomp-filtered, cgroup-limited, egress-allowlisted. No VM. No daemon. No setuid helper. Beta. Core crate (crates/agentjail) is the load-bearing piece, covered by make test-rust-privileged. Control plane, SDKs, web UI, gateway are useful but APIs may move before 1.0. Isolation Namespaces — mount, network, IPC, PID; user optional.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.