Kernel-enforced sandbox App and SDK for AI agents, MCP and LLM workloads (github.com)

The announcement of the kernel-enforced sandbox application and SDK, named "nono," is a significant development aimed at enhancing the security of AI agents and large language model (LLM) workloads. Created by the developer of Sigstore, this tool utilizes Linux's Landlock and macOS's Seatbelt technologies to enforce strict controls at the syscall level, making unauthorized actions virtually impossible. By ensuring that destructive commands are blocked before execution, and allowing file system access only as explicitly defined, nono addresses critical vulnerabilities related to prompt injection and permission escalation in AI systems. Key technical features include the ability to define a "CapabilitySet" for each session, which determines what resources an agent can access. This policy-free design means permissions are only granted as requested, with all child processes inheriting the same restrictions. Runtime secrets are securely injected from the system keystore, minimizing the risk of credential leaks. While currently in alpha phase and not recommended for production use due to potential undiscovered issues, nono provides a promising approach to safe deployments of AI agents, facilitating compliance, forensics, and trackable auditing of actions performed within the sandbox.