Kernel-enforced sandbox App and SDK for AI agents, MCP and LLM workloads

Kernel-enforced sandbox App and SDK for AI agents, MCP and LLM workloads(github.com)

2 points by decodebytes 88 days ago | 2 comments

ratnaditya 84 days ago |

The kernel-level approach is the right answer for protecting the host from the agent — landlock and seatbelt give you deterministic enforcement that the LLM can't reason its way around. What I find interesting is the complementary layer above this: even with a perfect sandbox, you still need application-level policy for what the agent is allowed to do within its permitted scope. A sandboxed agent can still send all your emails or delete all your files if those operations are within its allowed syscalls. The two layers solve different problems and both seem necessary.

decodebytes 88 days ago |

Hey HN

Luke here.

I wanted to introduce a project I have building for the past few weeks in response to events such as openclaw and the glaring security issues at hand. Prior to nono, I created Sigstore , a project used for software supply chain security now used by pypi, npm, brew and GitHub for release attestation and provence.

The problem: Protecting the host from the agent is largely solved, microVMs (kata, firecracker), containers , nono is more focused on protecting the environment or workspace itself - having said that, the isolation controls from the host are pretty solid as we use landlock and seatbelt.

nono uses OS-level isolation, atomic snapshots, and command auditing, secret / token protections (using keychain on linux and the secure enclave chip on apple)

Linux: Landlock LSM (kernel 5.13+) macOS: Seatbelt (sandbox_init) After sandbox + exec(), there's no syscall to expand permissions. The kernel says no.

Filesystem: read/write/allow per directory or file Network: block entirely (per-host filtering planned)

Atomic Rollbacks: Content-addressable storage — Files are stored by SHA-256 hash. Identical content is never duplicated, keeping storage efficient even across long sessions with many reverts — Every snapshot is committed to a Merkle tree. Tampering or corruption becomes more easily detectable

Audit trail of commands: nono automatically generates a cryptographically verifiable audit trail of every file change made by a sandboxed AI agent.

SDKs. We have two SDKs releasing soon using FFI bindings, python and typescript to allow uses to easily implement nono features into their own code base.

Technical details:

Written in Rust. Uses the landlock crate on Linux, raw FFI to sandbox_init() on macOS. Secrets via keyring crate. All paths canonicalized at grant time to prevent symlink escapes.

Landlock ABI v4+ gives us TCP port filtering. Older kernels fall back to full network allow/deny. macOS Seatbelt profiles are generated dynamically as Scheme-like DSL strings.

Limitations:

Network is binary, on or off - plans are in place to introduce IP filtering.

GitHub: https://github.com/always-further/nono Docs: https://docs.nono.dev Site: https://noto.sh

Apache 2.0. Would love feedback!