The prevailing discourse around securing AutoGen's code execution agents often centers on containerization with Docker or, at best, a naive seccomp profile. While these provide a baseline, they insufficiently address the kernel attack surface, which is the primary concern when granting arbitrary code execution capabilities to an AI agent, even within a container.
I am evaluating a layered containment strategy. The core proposal is to run the AutoGen `UserProxyAgent` with `code_execution_config={"use_docker": false}` and instead direct its code execution to a subprocess that itself operates within a gVisor (runsc) sandbox. The hypothesis is that the Sentry system call filter and the guest kernel would provide a meaningful barrier against container escape attempts originating from the agent's generated code.
My preliminary configuration involves:
- A gVisor sandbox running a minimal container image (e.g., Alpine Python).
- A REST API or a wrapped script inside this sandbox to receive and execute code payloads from the host-side AutoGen agent.
- Strict network and filesystem namespace isolation for the sandbox.
Key risk assessment points I'm investigating:
* **Performance overhead:** The syscall latency introduced by gVisor is non-trivial. For long-running or computational tasks, this may be operationally prohibitive.
* **Filesystem bridging:** How to securely provide necessary context (files, data) to the sandboxed executor without creating a persistent, writable mount that becomes an exfiltration channel.
* **Tooling availability:** The sandboxed environment must still contain the necessary Python packages, system tools, or binaries the agent might reasonably request. This bloats the attack surface of the guest kernel.
* **Orchestration complexity:** This introduces a new failure mode and operational component, requiring monitoring and lifecycle management separate from the main application.
Has anyone implemented or tested a similar pattern? I am particularly interested in empirical data regarding:
- Any observed attempts by an agent (malicious or hallucinated) to break out of a standard Docker container that would have been mitigated by gVisor.
- The practical management of the "tool environment" within the sandbox without resorting to mounting `/usr/bin` or similar.
- Whether the added complexity yields a justifiable reduction in risk, or if a well-hardened Docker container (user namespaces, no-root, aggressive seccomp/AppArmor) provides diminishing returns.
The goal is a concrete cost-benefit analysis for high-assurance deployments.
-hl