Search papers, labs, and topics across Lattice.
Sandlock introduces a novel Linux process sandbox designed to confine AI agent code execution, addressing the limitations of existing isolation methods like containers and ad-hoc process controls. It achieves this by splitting policy enforcement between static kernel-enforced rules and a narrow supervisor for runtime decisions, enabling fine-grained control over filesystem, network, IPC, and syscall policies without requiring root privileges or containers. Evaluation shows minimal overhead (5ms startup) and near bare-metal throughput for workloads like Redis, demonstrating its practicality for securing AI agent environments.
Forget heavyweight containers: Sandlock offers lightweight, unprivileged confinement for AI agent code, achieving near-native performance with strong syscall-level control.
AI agents increasingly run untrusted code on developer machines: shell commands generated by language models, third-party scripts retrieved at runtime, and tool plugins of unknown provenance. Existing isolation mechanisms impose tradeoffs that fit this workload poorly: containers and microVMs add privilege, image-management, and startup costs, while ad-hoc process controls and wrappers (e.g. chroot, ulimit) provide weak guarantees and little syscall-level control. Sandlock is a lightweight Linux process sandbox organized around a simple split: static, input-independent policy is compiled into kernel-enforced rules, while a narrow supervisor handles runtime-dependent decisions and virtualized effects. This split lets Sandlock enforce filesystem, network, IPC, and syscall policies without root, cgroups, images, or mandatory namespaces. It also supports dynamic network decisions, HTTP-level access control, TOCTOU-safe inspection of execve arguments, and reversible filesystem effects. On our workstation, Sandlock adds roughly 5 ms of startup overhead and runs Redis at bare-metal throughput (within measurement noise); its pipeline operator further supports per-stage confinement for separating data, network, and untrusted-content capabilities. Sandlock is available at https://github.com/multikernel/sandlock