zlacker

[return to "Sandboxing AI Agents in Linux"]
1. bigwhe+jQ[view] [source] 2026-02-03 21:14:12
>>speckx+(OP)
I use Leash [1] [2] for sandboxing my agents (to great effect!). I've been very happy with it, it provides strict policy-level control for all process-level + network-level activity, as well as full visibility and dynamic runtime controls via WebUI. Way better than bubblewrap imo.

I originally saw it here on HN and have been hooked ever since.

[1] Screenshot: https://camo.githubusercontent.com/99b9e199ffb820c27c4e977f2...

[2] https://github.com/strongdm/leash

Fun fact: Do you know what container / sandboxing system is in most widespread use? Not docker containers, certainly not bubblewrap, and not even full VMs or firecracker. It's Chrome tabs.

◧◩
2. necove+s71[view] [source] 2026-02-03 22:43:45
>>bigwhe+jQ
That's interesting, how does Chrome implement "sandboxing" in Windows and MacOS? For Linux, does it use the same underlying technology as Docker, Podman, LXD, LXC (cgroups, namespaces...)?

Or is a custom "sandboxing" implementation not relying on system level functions (eg. a VM with restricted functions)?

If the latter, I wonder if something like JRE or .NET CLR is still out there in larger numbers, but obviously, Chrome does have billions of users.

[go to top]