Security & Sandboxing¶
The posting says: "Strong expertise in security and isolation (Linux kernel hardening, Docker security, Wayland sandboxing)." Each AI agent runs in a container touching user data. This article covers seccomp-bpf, namespaces, capabilities, AppArmor, and Wayland's isolation model.
The Defense-in-Depth Stack¶
graph LR
APP["Chromium"] --> SEC["seccomp"]
APP --> NS["namespaces"]
APP --> CG["cgroups"]
APP --> CAP["capabilities"]
APP --> AA["AppArmor"]
SWAY["Sway"] --> WL["Wayland isolation"]seccomp-bpf¶
Restricts which syscalls a process can make. Kernel checks every syscall against a BPF filter before executing it.
Chromium's renderer processes allow ~30–50 syscalls (depending on architecture and build flags) of 400+ available. Warmwind's kiosk Chromium needs the same.
struct sock_fprog prog = { .len = ARRAY_SIZE(filter), .filter = filter };
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); // required first
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
| Action | Effect |
|---|---|
SECCOMP_RET_ALLOW |
Syscall proceeds |
SECCOMP_RET_KILL_PROCESS |
Process killed (SIGSYS) |
SECCOMP_RET_ERRNO |
Return specified errno |
SECCOMP_RET_LOG |
Allow but log |
Seccomp profiles ≈ Dockerfiles for syscalls
A Dockerfile says which packages exist. A seccomp profile says which syscalls exist. Both whitelist what's allowed and deny everything else. You already think this way from your OCI work.
systemd integration:
[Service]
SystemCallFilter=@system-service
SystemCallFilter=~@mount @reboot
SystemCallErrorNumber=EPERM
Linux Namespaces¶
| Namespace | Isolates | Warmwind use |
|---|---|---|
pid |
Process IDs | Container has own PID 1 |
net |
Network stack | Own interfaces, no host access |
mnt |
Filesystem | Read-only rootfs + overlay |
user |
UID/GID | Root in container ≠ root on host |
uts |
Hostname | Per-session hostname |
ipc |
Shared memory | Isolated IPC |
cgroup |
cgroup view | Own cgroup root |
User namespace (security-critical): Maps container UID 0 → host UID 100000. Escaped "root" is unprivileged on host.
Linux Capabilities¶
Split root's power into ~40 discrete flags. Best practice: drop ALL, add back minimally.
[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
Wayland Security Model¶
Why this matters for Warmwind
If Agent A could read Agent B's screen (like X11 allows), that's a data breach. Wayland prevents this by design.
| Attack | X11 | Wayland |
|---|---|---|
| Keylogging | Trivial | Impossible |
| Screen scraping | Trivial | Impossible without portal |
| Input injection | Easy | Cannot inject into other clients |
| Clipboard snooping | Any client | Requires keyboard focus |
Each client communicates only via its own Unix socket. Object IDs are per-connection. No shared framebuffer, no global event stream.
AppArmor¶
profile warmwind-chromium /usr/bin/chromium {
/usr/lib/chromium/** mr,
/tmp/chromium-kiosk/** rwk,
/dev/dri/renderD128 rw,
deny /home/** rw,
network inet stream,
deny network raw,
capability sys_admin,
deny capability sys_ptrace,
}
What's new (2025–2026)
- Landlock (merged 5.13) adds path-based file access control -- like AppArmor but unprivileged processes can self-sandbox. Complement to seccomp (which filters syscalls but can't restrict file paths). Landlock v4 (6.7) added network-port restrictions.
Glossary
- seccomp-bpf
- Kernel mechanism filtering syscalls with BPF bytecode. Installed per-process.
- BPF (Berkeley Packet Filter)
- Bytecode VM in the kernel. Classic BPF for seccomp, eBPF for tracing/networking.
- Capability
- One of ~40 discrete root privileges.
CAP_SYS_ADMINis the "god cap." - User namespace
- Maps UIDs inside a namespace to different UIDs outside. Enables rootless containers.
- MAC (Mandatory Access Control)
- System-enforced access policies (AppArmor, SELinux). Contrasts with DAC (Unix perms).
- SIGBUS
- Signal from accessing invalid memory. In Wayland: client truncates shared buffer
while compositor reads it. File sealing (
F_SEAL_SHRINK) prevents this.