TIL Docker v4.58+ have the `sandbox` subcommand to run commands with restricted filesystem access, ideal for running coding agents in yolo mode (or any other software you can't trust like ghidra or ida)

@pancake How is this different from simply bind mounting your project dir?

@buherator it creates a VM for each program you run, the program inside can’t see your system processes and there, and probably the main positive point here is simplicity to use and manage

@pancake I get that this is a stronger isolation layer, but why is that necessary? Do agents randomly perform container escapes?

Simplicity is definitely a plus, but that wouldn't require VMs either.

@buherator yep, escaping agent sandbox is a pretty common vuln and all agents are affected because there's literally no way to fix this than just add more checks when a escape is found. and even if you are requested to give permission to a directory, agents can write programs and execute without supervision or with hidden ways which makes it possible to access anything bypassing the classic checks.

@pancake I think we are talking about different things (please provide a link or stg if I misunderstand). When I just launch claude it can and will write at random FS paths for example, because the process has the privileges to do so. Can it do the same if I launch it in a regular old container where the project directory is mounted (it will have access to everything inside the mount ofc but not my whole ~)?

@buherator yes that would be the same if you run the agent inside a docker with a mouted volume. Docker sandbox afaik just makes it easier to use

@pancake Thanks for the clarification!

Jk. Docker sandbox only works for real programs. Aka the ones that run in a tty