undefined | Better HN

0 pointsFinbarr1mo ago0 comments

Did you read the post? That's exactly the problem I just solved.

0 comments

6 comments · 1 top-level

CodesInChaos1mo ago· 5 in thread

That's the part of your post I have trouble understanding. That you need to work around colliding ports suggests that the containers spun up by the agent run directly on the host, not inside some form of nested containerization. But if you do that, how do you ensure that the application running in those containers is sandboxed just as strictly as the agent itself?

FinbarrOP1mo ago

The docker compose stack for the applications is spun up on the host. The agents have access to the docker socket which means they can talk to docker from inside their sandbox and spin up new sibling containers on the host. Yolobox isn’t designed for full isolation- just accidental commands you wouldn’t want to run on the host, and a convenient way of giving agents a customizable environment they control.

Early on in development I tried to harden the container to prevent deliberate escapes by the agent. This was a waste of time as the agents just kept finding more and more exploits when I asked them to try and break out.

CodesInChaos1mo ago

So the right way to use yolobox is to spin up one VM as a secure sandbox, and then use yolobox to separate individual agents within the VM?

FinbarrOP1mo ago

I wouldn't assume that a VM will give you complete security against a determined AI. yolobox started as a way to prevent accidental `rm -rf ~` and has expanded into a set of tools that make working with CLI agents easier.

Personally, I run yolobox directly on the host. Being able to tell the agent it has sudo and can install and do whatever it needs to accomplish any task is handy.

CodesInChaos1mo ago

Sounds interesting. What kind of exploits did they find, apart from docker being exposed?

FinbarrOP1mo ago

Docker was only exposed later, after I realized that any sufficiently determined AI could break out of the container, and attempts to contain it were a waste of time. Also note that the docker socket is not exposed by default. There's a --docker flag for this.

I made some comments about exploits in the original post [1]. Gemini was quite creative in adding git hooks to the repo that would execute on the host machine. That folder is shared.

j / k navigate · click thread line to collapse

0 comments

6 comments · 1 top-level

CodesInChaos1mo ago· 5 in thread

FinbarrOP1mo ago

CodesInChaos1mo ago

So the right way to use yolobox is to spin up one VM as a secure sandbox, and then use yolobox to separate individual agents within the VM?

FinbarrOP1mo ago

Personally, I run yolobox directly on the host. Being able to tell the agent it has sudo and can install and do whatever it needs to accomplish any task is handy.

CodesInChaos1mo ago

Sounds interesting. What kind of exploits did they find, apart from docker being exposed?

FinbarrOP1mo ago

I made some comments about exploits in the original post [1]. Gemini was quite creative in adding git hooks to the repo that would execute on the host machine. That folder is shared.

j / k navigate · click thread line to collapse