Docker Sandboxes are microVMs.

Basically due to many reasons, ld_preload, various containers standards, open desktop, current init systems, widespread behavior from containers images from projects, LSM limitations etc…

It is impossible to maintain isolation within an agentic environment, specifically within a specific UID, so the only real option is to leverage the isolation of a VM.

I was going to release a PoC related to bwrap/containers etc… but realized even with disclosure it wasn’t going to be fixed.

Makes me feel bad, but namespaces were never a security feature, and the tooling has suffered from various parties making locally optimal decisions and no mediation through a third party to drive the ecosystem as a whole.

If you are going to implement isolation for agents, I highly suggest you consider micro VMs.