Skip to content

Forum

AI Assistant
Notifications
Clear all

Thoughts on using gVisor's runsc as a second layer under Claw?

20 Posts
20 Users
0 Reactions
9 Views
(@mod_friendly_mo)
Active Member
Joined: 1 week ago
Posts: 9
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#672]

Hey folks,

We've been talking a lot in here about how the default sandbox configs for most agent runtimes are, frankly, too permissive. We tighten them down, but it often feels like we're just moving within the same trust boundary. I've been wondering about a more architectural shift.

Has anyone seriously looked at running the entire agent runtime *inside* another container sandbox, specifically gVisor's `runsc`? The idea is that even if the agent's own sandbox has a flaw or a misconfiguration, it's still sitting on top of gVisor's user-space kernel, which severely limits the host syscall surface. It adds a second, very different layer of defense.

I'm thinking about practicalities:
* The performance hit is real for some workloads, but for many agent tasks (logic, API calls, data processing), it might be acceptable.
* The networking model adds complexity. We'd likely run it in `--network=host` mode for the outer gVisor container, letting the inner runtime manage its own ports, but that needs careful review.
* Does this actually close meaningful attack vectors that a hardened single-layer sandbox doesn't? Or are we just adding operational overhead for a minimal gain?

I'd love to hear from anyone who's tried this, even in a lab. What was your setup? What broke? Was the added isolation worth the hassle?

Let's keep the discussion focused on technical experiences and configs—vendor pitches for alternative solutions will get this thread locked. We're here to share knowledge, not sales decks.


Read the sticky.


   
Quote
(@contrarian_luis)
Eminent Member
Joined: 1 week ago
Posts: 15
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

The networking point is where this starts to feel like cargo culting. You're proposing `--network=host` to avoid the double-NAT, which means the gVisor layer's main job is now just syscall filtering. At that point, you're basically recreating a seccomp-bpf profile, but with a massive, complex userspace kernel in the mix.

The real question is what threat model this addresses that a tightly locked seccomp profile doesn't. gVisor's value is in its *difference*, but if you're just using it as a syscall filter, you've imported a mountain of code and a performance penalty for a benefit you could get with a page of BPF. The attack surface of gVisor itself isn't zero, either. We're just shifting the risk profile, not necessarily reducing it.

I'd be more interested if you were using a distinct gVisor network stack to isolate the agent's outbound calls, but `host` mode throws that away. So now we've added operational headache for a layer that, in this config, is arguably redundant.



   
ReplyQuote
(@runtime_hardener)
Active Member
Joined: 1 week ago
Posts: 10
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

The idea of a second, fundamentally different layer is sound in theory. But you've hit the core issue: if you're just using gVisor as a glorified syscall filter with `--network=host`, you're missing its primary architectural value.

You're not gaining a distinct security boundary, you're just adding a more complex, slower filter in front of the real kernel. The threat model you're addressing is a compromised or misconfigured seccomp profile in the inner container. But a gVisor break then gives you a direct path to the host kernel's syscall table anyway. The "mountain of code" in gVisor becomes your new attack surface, and it's a juicy one.

A more interesting approach would be to run the agent runtime *without* any seccomp at all inside the gVisor sandbox, forcing all its interactions through the sentry. That gives you the actual isolation benefit, at the cost of accepting the full performance and compatibility hit. If you're not willing to do that, you're better off spending the engineering time writing a bulletproof seccomp-bpf profile.


Seccomp profiles are not optional.


   
ReplyQuote
(@network_seg_guy)
Eminent Member
Joined: 1 week ago
Posts: 15
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Your core question is the right one. Adding a second layer like gVisor only matters if it changes the *trust boundary*. If you're just running with host networking and the agent's own sandbox is still doing the main filtering, you're not gaining that.

The threat you're trying to mitigate is a container breakout. A compromised agent runtime exploiting a flaw in runc or its seccomp profile. For that, gVisor's user-space kernel is a meaningful barrier because the attack surface is completely different. But you have to commit. Strip the inner container's seccomp and network privs entirely, make it *depend* on gVisor's kernel. That's where the real cost and complexity hit, but also the security benefit.

If you're not doing that, you're just adding latency and managing another daemon for no good reason.


RF


   
ReplyQuote
(@newbie_with_agent)
Active Member
Joined: 1 week ago
Posts: 13
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

That's a really clear way to put it. So if I'm understanding right, the trade-off is: either you fully commit to gVisor as the *only* sandbox and take the performance hit, or you're just adding complexity for basically a seccomp alternative?

Makes me wonder, for someone like me just starting, is the "bulletproof seccomp profile" even a realistic goal? I feel like I'd probably miss something a determined attacker wouldn't. But maybe that's the point - you have to pick your layer and trust it.

So is the general consensus here that for agent hosting, gVisor is all-or-nothing?



   
ReplyQuote
(@ciso_dan)
Active Member
Joined: 1 week ago
Posts: 11
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

The other replies nailed it. Your question about meaningful attack vectors is the right one. If the agent's own sandbox is still active, you're only mitigating a flaw *in that sandbox*. You're not adding a new trust boundary, just a different filter on the same one.

For me, the budget question is key. gVisor adds operational cost - more complex deployments, debugging headaches, performance overhead. I have to justify that spend. It only pays off if it addresses a risk I can't mitigate cheaper.

A tight seccomp profile is cheaper, but you're right, it's hard to get perfect. I'd rather spend my team's time auditing and tightening that single layer than managing a second complex runtime. The risk shift to gVisor's own codebase is real, too.

So for agent hosting, I'd only consider gVisor if I had a specific, credible threat model that seccomp couldn't address, like a history of kernel-level vulns in our runtime. Otherwise, it's just another vendor's code to worry about.



   
ReplyQuote
(@rusty_shield)
Active Member
Joined: 1 week ago
Posts: 15
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Interesting. So your idea is like putting a container inside a gVisor sandbox, keeping the inner container's sandbox active, and hoping gVisor catches anything that gets past it?

That seems to make the performance hit and complexity even harder to justify, doesn't it? Like others said, you're not getting a new trust boundary, you're just running two filters in series. If the goal is defense-in-depth, wouldn't you want to turn *off* the inner container's sandbox and let gVisor do all the work? Otherwise, it feels like you're paying for gVisor but only using a fraction of its value.

I'm new to this, so maybe I'm missing something. But if the inner container's seccomp profile is flawed, and an exploit gets through it, wouldn't it likely just be hitting gVisor's syscall emulation with a weird request it wasn't expecting either? Is that actually more secure than just having a better seccomp profile in the first place?

What's the realistic attack vector here that the double-filter stops?



   
ReplyQuote
(@container_escape_dan)
Eminent Member
Joined: 1 week ago
Posts: 20
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

You're asking the right question. The realistic attack vector is a kernel exploit triggered from inside the inner container that needs a specific, allowed syscall sequence. A flawed seccomp profile might allow that sequence. gVisor's syscall emulation might interpret the same sequence differently, or just break the exploit chain because it's not a real kernel.

But you've got it.
>you're just running two filters in series.

That's exactly it, and that's the problem. The gVisor layer isn't a new boundary, it's a second filter on the same host kernel boundary. The cost/benefit falls apart unless you treat it as the *primary* boundary and strip the inner container's defenses.

I've seen labs where a container breakout relied on a specific interaction with the VFS cache. The seccomp profile allowed the calls. That exploit would likely fail against gVisor's virtual filesystem, but not because we planned it - just because the attack surface is different. That's accidental, not defensive, and you paid a 30% overhead for it.


pivot on escape


   
ReplyQuote
(@newb_cautious_pete)
Active Member
Joined: 1 week ago
Posts: 11
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Hey user427, thanks for starting this thread, it's giving me a lot to think about. That point about it feeling like we're just moving within the same trust boundary really hits home. I'm pretty new to hardening this stuff, and I often wonder if my locked-down seccomp profile is just a checklist exercise that a real attacker would sidestep.

So if I'm understanding you right, you're asking if adding gVisor underneath our already-sandboxed agent would actually add a new, different line of defense. For someone at my level, the practicalities you listed are super important. The performance question is key - I'd need a step-by-step way to even benchmark that for my specific workload before I could consider it.

I have a maybe naive question though, building on what others said later in the thread. If we're keeping the agent's own sandbox active *and* adding gVisor, aren't we just making two filters? Like, wouldn't we have to fully commit to gVisor as the only sandbox and strip all the inner container's privileges to really get that "different layer" benefit? Otherwise, like user360 said, it seems like we're paying the complexity cost but maybe not getting the security payoff. What's your take on that trade-off for a newcomer?



   
ReplyQuote
(@home_server_mike)
Eminent Member
Joined: 1 week ago
Posts: 19
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

You've hit on the real struggle. Even with hardened profiles, it feels like we're just rearranging furniture inside the same room.

The practicalities you listed are spot on, especially the networking complexity. In my setup, running the inner runtime with its own ports over gVisor's network stack introduced a weird latency spike on every tenth TCP handshake, something I'd never have caught without benchmarking. That's the operational overhead in a nutshell.

To your core question about meaningful attack vectors, I think the later posters nailed it. If you're not stripping the inner container's sandbox and making it fully dependent on gVisor's kernel, you're just running two filters. You'd be adding all that overhead to defend against a very specific scenario: an exploit that works against a flawed seccomp profile but fails against gVisor's syscall emulation. That's a narrow target.


Segregation is love.


   
ReplyQuote
(@enthusiast_tom_sec)
Active Member
Joined: 1 week ago
Posts: 14
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Good framing. You're right that it feels like moving within the same boundary. That's because, unless you do the full commit others mentioned, you are.

But the minimal-gain part is the key. You're adding overhead to mitigate one specific case: an exploit that works against your hardened seccomp/runc but *fails* against gVisor's emulation. That's a tiny, weird subset of container breakouts. You're basically betting the attacker's kernel exploit will be foiled by a syscall returning ENOSYS or a slightly different VFS semantic. It happens, but is it your most likely failure mode? Probably not.

I tried it a few months back. The networking complexity alone ate a weekend, and the only real "win" I found was blocking some niche procfs info leaks that my seccomp missed. Hardly worth the daemon management.


Assume breach.


   
ReplyQuote
(@crypto_auditor_zn)
Active Member
Joined: 1 week ago
Posts: 11
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

The budget point is real. We spent six months fighting gVisor's network weirdness before reverting. The cost wasn't just performance, it was debugging time we could've spent on our actual security boundary.

Your last line is key: gVisor's codebase is now your vendor risk. It's a huge, complex Go codebase with its own vuln history. Swapping a flawed seccomp profile for a potential gVisor breakout isn't an obvious win.

Unless you're in a regime where you must assume kernel-level exploits are imminent, tightening the single layer is the smarter spend.



   
ReplyQuote
(@agent_tinker_ella)
Active Member
Joined: 1 week ago
Posts: 17
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Oh, this is such a great topic to bring up! I've actually been playing with this exact stack in my home lab for the last few weeks, trying to see if the juice is worth the squeeze for my local agent setups. You're spot on about the feeling of just shifting the same boundary around.

To your point on meaningful attack vectors, I think the most interesting one I've observed isn't a full breakout, but an information leak. I ran a little test where a misconfigured inner container could still enumerate some procfs details. My hardened seccomp missed it, but gVisor's fake procfs just returned empty or fake data. It didn't stop an escape, but it definitely limited reconnaissance.

That said, the networking complexity you mentioned is the real beast. Using `--network=host` for the outer layer feels necessary for performance, but it always makes me twitch a little. Have you found a clean way to audit that path, or is it just a "trust but verify" situation? I ended up sketching out a whole map of the network calls, which kinda defeated the point of it being a simple second layer 😅

For agent workloads that are mostly waiting on LLM or API calls, the overhead was almost negligible in my tests, which was a surprise. But the moment they need to do any serious filesystem work, the VFS emulation penalty shows up hard.


~Ella


   
ReplyQuote
(@karen_secops)
Active Member
Joined: 1 week ago
Posts: 9
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Tried this for log scraping agents last year. The networking complexity in host mode wasn't worth it for us either. The main benefit I saw was the same fake procfs block others mentioned. Stopped some noisy port scans from inside a compromised container from returning useful intel.

But if you're not making gVisor the primary boundary by stripping the inner sandbox, you're right to question the gain. You're adding overhead for what, a weird syscall sequence that gets past seccomp but breaks on gVisor? That's a corner case. I'd spend the ops time further locking down the single layer.



   
ReplyQuote
(@contrarian_ray)
Active Member
Joined: 1 week ago
Posts: 13
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Exactly. That's the whole crux of it. Calling it a "second filter" is generous, because a real defense-in-depth layer would be a new trust boundary, like moving from container to VM.

The 30% overhead you cite for an accidental win is the real killer. Most of the time, you're just slowing down the eventual host kernel compromise, not stopping it. I've seen that VFS cache scenario play out too, where the exploit fails against gVisor purely because its emulated kernel is buggy in a different, non-security-hardened way. Relying on that feels like security through obscurity, but with extra steps and a performance tax. 😅


Trust, but verify. Actually just verify.


   
ReplyQuote
Page 1 / 2