Adopt
AI agent sandboxing uses OS-level primitives (Landlock, seccomp, Seatbelt) and/or virtualization (containers, MicroVMs) to constrain what AI coding agents can do. Every major agent now ships with some form of sandboxing — OpenAI Codex uses Landlock + seccomp by default, Cursor uses Seatbelt/Landlock, and Claude Code uses filesystem + network isolation with seccomp BPF.
How Major Agents Handle It
| Agent | Sandboxing | Default Mode |
|---|---|---|
| OpenAI Codex CLI | Landlock + seccomp | Workspace-write (network disabled) |
| Cursor | Seatbelt (macOS) / Landlock (Linux) | Dynamic policy per workspace |
| Claude Code | Filesystem + network isolation + seccomp BPF | Specific directory access only |
| E2B | Firecracker MicroVMs | Per-execution VM (~150ms cold start) |
Key Technologies
- Landlock LSM (kernel 5.13+): Capability-based filesystem restrictions below the application layer — agents cannot override them
- seccomp-BPF: System call filtering that blocks network-related and dangerous syscalls
- landrun (2K+ GitHub stars): Most popular standalone Landlock wrapper, no root or containers needed
- jai (Stanford): Copy-on-write overlay sandbox — one command, no root, no containers. Gives the working directory full access and hides the rest of
$HOMEbehind an overlay - Firecracker MicroVMs: Dedicated guest kernel, ~150ms cold start, strongest isolation (E2B scaled to 15M sandboxes/month)
Strengths
- OS-level enforcement cannot be bypassed by the agent
- Multiple approaches for different threat models (kernel-level vs. containers vs. MicroVMs)
- Measurable impact — Claude Code reduced permission prompts by 84%, Cursor reduced interruptions ~40%
Limitations
- Landlock/seccomp are Linux-specific
- No standardized approach across agents
- GPU passthrough is challenging in sandboxed environments
- Kernel-level sandboxing is lighter weight but less isolated than MicroVMs