Article illustration 1

We’ve all encountered the nightmare scenario: an AI coding assistant, left unsandboxed, catastrophically deletes a user’s home directory. In response, many developers hastily deploy Docker containers as a safety net. But this approach introduces a critical flaw, one that Linux security experts have long warned about. Docker’s own documentation explicitly states: "The docker group grants root-level privileges to the user." While containers isolate processes, installing Docker erases the security boundary between a standard user account and root access—effectively trading one risk for another.

The Docker Dilemma

Granting standard users Docker privileges is equivalent to handing them unrestricted root capabilities. This creates a massive attack surface, especially when untrusted AI agents (like those in “vibe coding” tools) execute arbitrary code. Traditional sandboxing solutions either demand heavyweight virtualization or, as in Docker’s case, compromise fundamental security principles. Developers need lightweight, granular control—without nuclear options.

Enter Landlock: Linux’s Native Sandboxing

Linux’s Landlock framework offers a compelling alternative. Unlike Docker, Landlock operates at the kernel level, enforcing filesystem restrictions via capabilities. It allows developers to define exactly which directories a process can access—with no need for elevated privileges. A new script demonstrates this using setpriv from util-linux to confine Google’s gemini-cli AI agent:

#!/bin/sh
RDIR=execute,read-file,read-dir
RWDIR=$RDIR,write-file,remove-dir,remove-file,make-dir,make-reg,make-sock,make-fifo,make-sym,refer,truncate

if [ "$PWD" = "$HOME" ]; then
    echo "Run this from your project directory only"
    exit 1
fi

mkdir -p $HOME/.gemini

setpriv \
  --landlock-access fs \
  --landlock-rule path-beneath:$RWDIR:$HOME/.gemini \
  --landlock-rule path-beneath:$RDIR:/etc \
  --landlock-rule path-beneath:$RDIR:/bin \
  --landlock-rule path-beneath:$RDIR:/usr \
  --landlock-rule path-beneath:$RDIR:/lib \
  --landlock-rule path-beneath:$RWDIR:$PWD \
  /usr/bin/gemini

How It Works

  • Granular Permissions: The script defines read/write rules (RDIR/RWDIR) for specific paths. The agent can only write to ~/.gemini and the current project directory ($PWD).
  • Critical Safeguards: It blocks access to sensitive system paths (/etc, /bin, etc.) in read-only mode and prevents execution in $HOME.
  • No Root Required: Runs entirely within userland, leveraging Landlock’s kernel support (Linux 5.13+).

Limitations and Caveats

Landlock excels at filesystem isolation but doesn’t restrict networking, signals, or process interactions. As the original author cautions, never expose credentials or production data within the agent’s reach. This is a layer of defense—not a silver bullet.

The Bigger Picture for AI Development

As coding agents proliferate, secure sandboxing transitions from "nice-to-have" to non-negotiable. Landlock provides a lightweight, kernel-enforced alternative to bloated containers, aligning with zero-trust principles. For developers, it’s a reminder: true security demands precision tools—not just convenient ones.

Source: Landlock Your Vibe Coding (Gnoack.org)