Cong Wang

🚀 sandlock 0.8.0 is out, with run_with_handlers(). sandlock is a lightweight, unprivileged Linux process sandbox (built on Landlock + seccomp). The new API lets you register your own seccomp user-notification handlers, so you can virtualize syscalls for a sandboxed process from ordinary application code, no kernel module and no privileged setup. To show what that unlocks, this release includes a single self-contained Python file that gives a sandboxed program a read-only, S3-backed view of its filesystem. The program just calls open("/s3/...") and os.stat("/s3/...") and reads objects straight from an object store. No FUSE. No daemon. No mount. No privilege. Why do this with syscall handlers instead of a FUSE mount? ✅ No daemon to kill. A FUSE filesystem is a daemon sitting next to your workload. If you are running an untrusted agent, it can signal that daemon to take the filesystem down, or (same user, ptrace allowed) attach to it and read your cloud credentials out of its memory. sandlock's supervisor is the agent's parent, outside the sandbox, unreachable from inside it, and it fails closed. ✅ No mount, no CAP_SYS_ADMIN, no /dev/fuse. It works in the most locked-down unprivileged container, where you often cannot mount FUSE at all. ✅ One policy point for everything. The same supervisor already mediates files, network, process creation, and memory. Object storage becomes just one more handler, with one audit log, instead of a separate mechanism bolted on per resource. ✅ Programmable and private. Decisions can depend on who is asking (pid, argv, open flags), and nothing lands on disk: bytes are served from an in-memory fd, not a local cache directory. This is built for the execute-only-agents model: giving an untrusted AI agent a controlled view of exactly the resources you choose, with an enforcer it cannot reach. Take a look: 📖 Extension handlers guide: https://t.co/owlpT8KTiP 🧩 Full S3 example (openat + statx + newfstatat handlers): https://t.co/N6NLfKyuSG ⭐ Project and 0.8.0 release: https://t.co/ZrArsD89s1 #Linux #Security #Sandboxing #seccomp #Landlock #AIAgents #CloudSecurity #OpenSource #Rust #Python

Introducing KBI: Packaging Linux Kernels as OCI Artifacts Excited to announce KBI (Kernel Bundle Image), an open-source tool that packages Linux kernels as standard OCI artifacts. As part of our Multikernel work, we needed a clean way to package, distribute, and manage kernel artifacts independently from the OS. That is KBI. The problem it solves: today the kernel is embedded inside OS images, tangled with the root filesystem. Updating the kernel means rebuilding the entire image. Kernel modules and eBPF programs have no formal way to declare or verify compatibility. The kernel has no independent lifecycle. KBI changes this by treating the kernel as a first-class, independently versioned artifact. What it does: - Packages kernel artifacts (vmlinuz, modules, config, BTF, initrd, firmware) into a single OCI image with typed layers and structured metadata - Computes a deterministic Kernel Build Identity (KBI ID) from kernel content, enabling explicit compatibility binding - Supports ModulePacks and BPF Packs for out-of-tree kernel extensions, with build-time validation of module compatibility via vermagic and BTF verification - Works with any OCI-compliant registry: Docker Hub, GHCR, Quay, ECR, Harbor - Installs to bare metal or VM filesystem layouts The core idea: a kernel is a governed resource, not an implicit dependency. It deserves its own packaging, versioning, distribution, and compatibility model. KBI is built in Go, licensed under Apache 2.0, and available now on GitHub: https://t.co/3tfIklVhww I would love to hear from anyone working on kernel management at scale, bootc/image-based Linux, or eBPF toolchains. Feedback and contributions are welcome. #linux #kernel #containers #oci #opensource #ebpf #infrastructure

Security Update: PraisonAI Now Ships with Sandlock Integration We are pleased to announce that PraisonAI is the first public project to adopt Sandlock, delivering kernel-level code isolation for AI agent execution and bringing enterprise-grade security to autonomous and LLM-generated code workflows. As AI agents increasingly execute untrusted, model-generated code in production environments, process-level sandboxing is no longer sufficient. PraisonAI's new SandlockSandbox leverages Sandlock to enforce isolation directly at the kernel, closing critical gaps that traditional subprocess sandboxes leave open. What this means for teams building with PraisonAI: 1. Kernel-enforced filesystem allowlisting, preventing unauthorized access to credentials, SSH keys, and system files. 2. System call filtering via seccomp-bpf, blocking dangerous operations before they reach the kernel. 3. Network isolation to prevent data exfiltration from agent-executed code. 4. Fine-grained resource limits across memory, CPU, processes, and execution time. 5. Approximately 5ms startup overhead, roughly 20x faster than Docker, with comparable security guarantees. 6. No root privileges required, enabling user-space security that deploys anywhere. 7. Drop-in replacement that implements the same SandboxProtocol as existing backends. SandlockSandbox is available today as an optional dependency via pip install "praisonai[sandbox]" and integrates seamlessly with existing Agent execution configurations. Teams running multi-tenant code runners, untrusted code evaluation pipelines, or agent-based automation can migrate with a single line change. This adoption reflects our continued commitment to building AI infrastructure that is production-ready, secure by default, and trusted by enterprise teams. Explore the integration and documentation in the PraisonAI repository: https://t.co/wdp258sy0n. #AIAgents #EnterpriseAI #Security #PraisonAI #Sandlock #Linux #DevSecOps

AI agent sandboxes got security wrong. Here's why. The industry is spending millions wrapping AI agents in containers and microVMs. But the threat model doesn't match the solution. 1. Agents aren't adversaries. They follow prompts. The real threat is prompt injection and accidental errors, not kernel exploits. You need policy, not a hypervisor. 2. Isolation isn't security. A Firecracker microVM can't stop an agent from reading your SSH key if you mounted it. What matters is what's accessible inside the sandbox, not whether it can escape. 3. You almost never needed root. Containers and microVMs require privileged infrastructure to create isolation. That privilege becomes the prize when isolation fails. An unprivileged sandbox has a strictly smaller attack surface. 4. One box for all tools is no security at all. If every tool shares the same permissions, the sandbox policy is the union of everything. Per-tool-call isolation is the only way to enforce least privilege. We built Sandlock to get this right: deny by default, allowlist by path, enforce at the kernel level, no root required. Process fork + Landlock confinement in under 1ms per tool call. Read the full analysis: https://t.co/f1q71L9rEu #AIAgents #Security #Linux #OpenSource #Infrastructure