Sandboxing Agents With Tools

[shishkin]

I'm trying nono sandboxing for local AI agents. One conceptual misunderstanding I have is that a single profile is applied to the parent agent process and then inherited for all sub-processes spawned by the agent. I would rather prefer to define fine-grained profiles for each agent tool instead of giving the agent itself all these capabilities.

A few examples:

• Deny direct network access to the agent, but allow to use npm to install packages from registry.npmjs.com.
• Deny writes to node_modules directly, but allow through npm.
• Deny access ~/.ssh, but allow ssh to use the key.
• Deny access to private user emails, but allow a custom script tool to read them.
• and so on...

I understand that a custom agent with nono SDK could apply specific profiles when starting tools. However, I wonder if this can be done in a declarative way. Also if I then start such an agent with minimal capabilities, will it be able to fork a tool process with additional capabilities it didn't have?

There is a related idea in #336, but I think that one goes more into manual confirmations rather than declarative per-tool profile.

[lukehinds]

Interesting you should mention as this is a WIP in PR #840

Under the hood: For each tool execution from within the child process, the supervisor creates an isolation tool execution within a new sandbox, as as the two have IPC, the supervisor passes back stdout/err etc to the child. It covers the exact examples you provided, in fact I demo'ed using NPM as an example (note the schema has improved since then)

https://files.catbox.moe/n7t2yi.mp4

[shishkin]

That's very cool. I'm very glad I found nono as it seem the most well-thought sandbox out there! Look forward to be able to test that PR once it gets past draft state.

[shishkin]

I especially liked profile syntax like:

"ssh": {
  "from": {
    "git": {}
  }
}

because it allows to have multiple profiles for ssh depending on who calls it. Also very good handling of interpreted shebang scripts! Thanks!

[lukehinds]

Thanks for the feedback, I think a week or two and I hope it will be released!