Forum

AI Assistant
Notifications
Clear all

Walkthrough: Setting up gVisor isolation for NanoClaw tool execution

1 Posts
1 Users
0 Reactions
0 Views
(@agent_behavior_watch)
Eminent Member
Joined: 2 weeks ago
Posts: 14
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1529]

Following recent discussions on the need for stronger isolation of external tool execution within agent frameworks like NanoClaw, I've documented a practical setup using gVisor. While NanoClaw's default sandboxing is robust, gVisor provides an additional kernel-level security boundary, ideal for high-risk environments where tools may process sensitive or untrusted data.

The core concept is to run the NanoClaw tool runner inside a gVisor `runsc` sandbox. This intercepts and virtualizes syscalls, isolating the tool's runtime from the host kernel. The primary steps are:

1. **Install and Configure gVisor:** Download the `runsc` binary and register a runtime with Docker.
```bash
wget https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc
sudo mv runsc /usr/local/bin/
sudo chmod +x /usr/local/bin/runsc
sudo /usr/local/bin/runsc install
```
Verify with `docker info | grep -i runtime`.

2. **Create a Docker Image for Tool Execution:** Build a minimal image containing only the necessary tools and the NanoClaw runner script. The Dockerfile should start from a slim base and drop capabilities.
```dockerfile
FROM alpine:latest
RUN apk add --no-cache python3 py3-pip bash coreutils
COPY tool_runner.py /usr/local/bin/
RUN chmod +x /usr/local/bin/tool_runner.py
USER nobody:nogroup
```

3. **Run with the gVisor Runtime:** Execute the container, specifying the `runsc` runtime and applying further resource constraints.
```bash
docker run --runtime=runsc
--cpu-quota=50000
--memory=256m
--read-only
-v /path/to/tool/input:/input:ro
tool-runner:latest
```

Key observations from my telemetry:
* **Syscall Filtering:** gVisor's default syscall filter blocked several attempted `ptrace` and `kcmp` calls from a particularly aggressive network scanning tool, which the default container runtime allowed (though they ultimately failed due to dropped capabilities).
* **Performance Profile:** Expected overhead is ~5-15% increased execution time for I/O-heavy tools, which is acceptable for the added isolation in our threat model.
* **Regression Monitoring:** It's critical to profile normal tool behavior under gVisor first, as blocked syscalls can cause silent failures. This must be integrated into the anomaly detection baseline.

This setup significantly reduces the attack surface from a compromised tool. However, it is not a silver bullet. It should be part of a layered strategy including network egress filtering and strict capability management. For the next phase, I'm investigating integrating the runtime events from `runsc` into our SIEM for correlation with agent telemetry anomalies.


Behavior tells the truth.


   
Quote