Sandbox Untrusted Code Execution
Contain what your agent runs: isolated execution environments with resource limits, network policy, and workspace mounting done right.
The route
4 steps to Done
- 01
Choose the isolation and define the policy
Decide what the boundary must hold before building it.
Preview prompt + verify gate ▾ Hide ▴
Design the sandbox. Choose the isolation technology available in my environment (containers via Docker/Podman are the default; microVMs or gVisor where stakes are higher; a restricted-user + namespace approach where containers are unavailable) and justify briefly. Write the policy document: FILESYSTEM - workspace mounted read-write at a fixed path, nothing else from the host; a scratch tmp; image-provided tooling read-only. RESOURCES - CPU cores, memory cap, pids limit, disk quota, wall-clock timeout per execution. NETWORK - default deny; allowlist (package registries, required APIs) with rationale per entry. LIFECYCLE - fresh or session-scoped sandbox, teardown rules. This document is the spec the next steps implement and the tests verify.
- ✓ Technology fits the environment and stakes
- ✓ All four policy areas specified with numbers
- ✓ Allowlist entries individually justified
- 02
Build the sandboxed executor
Same tool interface, contained blast radius.
Preview prompt + verify gate ▾ Hide ▴
Implement execution inside the sandbox. Build the execution image: base OS plus the project's toolchain (pin versions). Reimplement run_command to execute inside the sandbox: workspace mounted per policy, limits applied (cpus, memory, pids-limit, read-only rootfs where workable, no-new-privileges, non-root user), timeout enforced, stdout/stderr captured and returned with exit codes exactly as before. Session-scoped sandbox reuse for speed (create at session start, execute via exec, destroy at end) with a fresh-sandbox option for suspicious operations. The agent-facing tool interface stays identical - the containment is transparent. Verify normal development commands (install, test, build) work inside.
- ✓ Limits and non-root enforced on the container
- ✓ Interface unchanged for the agent
- ✓ Session reuse keeps latency acceptable
- 03
Enforce and verify the network policy
Default-deny, with every exception named.
Preview prompt + verify gate ▾ Hide ▴
Implement network policy. Default: no egress (network none, or an internal network with no route out). Where the workflow needs egress (package installs), route through the allowlist mechanism available: a filtering proxy the sandbox must use, or network rules permitting only named destinations. Failures at the boundary must produce a distinguishable error the agent can read ('network blocked by policy: destination X not allowlisted') so the model reports it rather than flailing. Log every blocked attempt as a security event with destination and context. Test: package install from an allowlisted registry succeeds; a curl to an arbitrary host fails with the policy error; the blocked attempt appears in the security log.
- ✓ Non-allowlisted egress fails distinguishably
- ✓ Allowlisted flows work
- ✓ Blocked attempts logged as security events
- 04
Attack it, then tune the ergonomics
Trust the boundary only after it has survived you.
Preview prompt + verify gate ▾ Hide ▴
Verify with attacks, then smooth the workflow. ATTACKS (run each inside the sandbox and verify containment plus logging): rm -rf / (host untouched), read attempts on host paths (/etc/passwd outside the mount - invisible), a fork bomb (pids limit kills it), a memory hog (cgroup kills it), a wall-clock runner (timeout fires), and egress to a random host (blocked). After each, verify the agent received a comprehensible error and the security log recorded the event. ERGONOMICS: measure the overhead (execution latency vs host baseline) and fix the frictions that tempt people to disable sandboxing - warm session sandboxes, cached package layers in the image, fast file sync. Document the final guarantees and the residual risks (kernel exploits, allowlisted-destination abuse) honestly.
- ✓ Six attacks contained with evidence
- ✓ Agent errors comprehensible for each
- ✓ Overhead measured and reduced where hostile to adoption
Research-backed
Sources behind this flow
Tier 1 · claude-code-internals
claude-code-book (SCUTBrothers)
A second book-length Chinese treatment of Claude Code's source ('Understanding Claude Code In Depth') with a compiled PDF and LaTeX sources. Focuses on turning the complex system into reusable engineering knowledge: source structure, runtime mechanics, permissions and extension points, security and context strategy.
Tier 4 · coding-agents
OpenHands
A leading open platform for software-development agents that execute long-horizon tasks in sandboxed environments (Docker) with browser and terminal access - the reference for agent-computer interface design and safe execution.
Tier 4 · coding-agents
SWE-agent
The Princeton research agent that introduced the Agent-Computer Interface (ACI) concept: carefully designed commands, file viewers, and feedback formats that dramatically improve LLM performance on real GitHub issues (SWE-bench).