nono – kernel-enforced capability sandbox for AI agents

Sharing a tool I’ve been building to address the permissions problem with AI agents that often have unfettered shell access. I have been security engineer for a good many years now, previous to this I created sigstore, a project that provides software supply chain security for npm, Pypi, brew, maven and many other artifacts (containers, AI models). The problem: AI coding agents often run with full user permissions. Application-layer filters are bypassable – the LLM context window makes no structural distinction between instructions and data, so prompt injections invariably route around any guardrail that lives in the same process. Agents are goal, driven, so they find shortcuts somehow to achieve a specific outcome. nono enforces restrictions at the kernel level using Landlock (Linux 5.13+) and Seatbelt (macOS). Once applied, restrictions are irreversible from userspace. The model is deny-by-default: Filesystem: all paths blocked except explicit allow list Destructive commands: rm -rf, reboot, dd, chmod blocked unconditionally Sensitive paths: ~/.ssh, ~/.aws, ~/.gnupg, shell configs denied by default Symlink escape prevention: can’t follow symlinks out of allowed paths Credential exfiltration mitigation Child process inheritance: everything the agent spawns inherits the same restrictions Agent SSH git commit signing: cryptographic attribution of agent-authored commits ​ nono run –allow ./project — claude No containers, no VMs. Uses the OS security primitives directly. Interested in feedback on the threat model and any edge cases I should be thinking about. Repo: github.com/always-further/nono Apache 2.0, early alpha. Luke submitted by /u/DecodeBytes [link] [comments]Technical Information Security Content & DiscussionRead More