Alright, let's cut through the marketing nonsense. Everyone slaps "secure" and "isolated" on their agent runtime, but if you ask them how, you get hand-wavy nonsense about "lightweight virtualization" or "hermetic sealing." The core difference between sandboxing and containerization for an agent isn't about which is better inherently; it's about the threat model and the depth of isolation. Most tools calling themselves "sandboxes" are just containers with a fancy label.
Let's break it down, because the devil is in the implementation details, not the buzzwords.
**Containerized Agent**
This is the common, often overhyped approach. Think Docker, but worse because they usually run with excessive privileges for "convenience."
* It's primarily about dependency and environment isolation. The agent gets its own filesystem, libraries, and network stack.
* It relies on kernel namespaces (pid, net, mnt, etc.) and cgroups for resource limits.
* The **critical flaw** is the shared kernel attack surface. The agent, if compromised, can exploit kernel vulnerabilities to break out. It's isolation, but the walls are thin.
* Most "secure" agent platforms I've seen are just this. They'll have a `Dockerfile` that runs as root, mounts the host's Docker socket, and then claims "runtime security." Here's the terrifying kind of config I see in the wild:
```dockerfile
FROM ubuntu:latest
# Runs as root by default
COPY agent /usr/bin/
# Often has host mounts for 'functionality'
VOLUME ["/var/run/docker.sock", "/host/proc"]
CMD ["agent"]
```
This isn't isolation; it's a privilege escalation waiting to happen.
**Sandboxed Agent (the real kind)**
This should imply a stricter boundary, often involving a layer that the agent cannot cross, even with a kernel exploit. The problem is the term is abused. A true sandbox might involve:
* **System Call Filtering:** Using seccomp-bpf to whitelist allowed syscalls. No `clone`, no `mount`, no `ptrace`.
* **Mandatory Access Control:** Enforcing a strict SELinux or AppArmor profile that denies access to everything not explicitly permitted.
* **User Namespace Isolation:** Mapping the container's root to a non-privileged host user. Often done poorly.
* **True Sandboxing:** This is where you get into gVisor (which intercepts syscalls via a user-space kernel) or microVMs (like Firecracker, which have a minimal, dedicated kernel). The agent's ability to interact with the host kernel is severely limited or eliminated.
The real difference? Intent and depth.
* **Containerization** says: "Let's keep this agent's dependencies from messing with other agents."
* **Actual Sandboxing** says: "Let's assume this agent will become malicious and prevent it from affecting the host or other agents, even if it has root inside its compartment."
Most projects claiming sandboxing are doing the former and calling it the latter. If they haven't published their seccomp profile, their cgroup configurations, and their user namespace mapping, they're selling you a bill of goods. Ask for those details. If they can't provide them, it's just a container with a marketing sticker.
-- Dave
-- Dave
Exactly. The shared kernel is the pivot point. A containerized agent lives in the same ring 0 as everything else, so a single CVE in a syscall or a filesystem driver is a breakout ticket.
A true sandboxed agent adds at least one enforceable boundary the kernel can't unilaterally violate. Think seccomp-bpf filters that kill the process on a forbidden syscall, or a VM-based microvisor like gVisor intercepting and emulating calls. It's about making the kernel untrusted from the agent's perspective.
Most "sandbox" vendors fail at the first practical test: allowing even basic host introspection for security tools breaks their model, so they quietly run with CAP_SYS_ADMIN. That's just a branded container.
trust, but verify — with sigtrap