Posts tagged with "virtual-machines"

• Sandboxing AI Coding Agents

  12/29/2025

  An Ask HN question came up yesterday on how others are sandboxing coding agents.

  I have not taken sandboxing seriously. When previously researching this topic the information and tooling to accomplish this seemed lacking. I figured for my minimal usage I could manually approve each request AI makes. But as my usage grows and products mature a safer and more efficient approach is needed. I hear more stories about how AI discovers and uses unintended secret information, mistakenly deletes directories outside the project, and exfiltration of private data.

  The HN question did not receive a lot of responses. I considered a few, but didn’t to generate a deep research query of my own. Of the options presented creating a Lima VM seemed the easiest with sufficient security for my usage, although the steps became more involved as I implemented the solution. Below are the steps.

  Lima VM installation

  The install instructions Lima provided did not work for me, therefore I downloaded the latest release myself from their releases and installed it: sudo tar -C /usr/local -xzf lima-2.0.3-Linux-x86_64.tar.gz

  You may need to install QEMU libraries as well: sudo dnf install qemu-img qemu-kvm

  The VM needs to mount the project directory, so the project files can accessed. To do so we need to configure the SELinux policy settings by adding a file label. Then the label needs to be applied to all of the existing files within the directory.

  • -a: Add policy
  • -t: The label type, in this example access to files which exist within the home directory
  • sandbox-test: Is the directory to apply the policy to

  sudo semanage fcontext -a -t svirt_home_t "sandbox-test(/.*)?"
  sudo restorecon -Rv sandbox-test

  Creating a VM

  A configuration file can be used so that the VM is created with needed dependencies, as well as other VM settings. (dotnet-sandbox.yaml)

  images:
  - location: "https://cloud-images.ubuntu.com/releases/24.04/release/ubuntu-24.04-server-cloudimg-amd64.img"
    arch: "x86_64"
  cpus: 4
  memory: "8GiB"
  mountType: "9p"
  
  provision:
  - mode: system
    script: |
      apt-get update
      # The .NET application needs the SDK 
      apt-get install -y dotnet-sdk-10
      # The React frontend needs NPM
      snap install node --classic
      # Using the Codex CLI
      npm install -g @openai/codex
      # Codex expects `python`, not `python3`
      apt-get install -y python-is-python3

  Now the VM can be created and started, not the :w to make the mounted directory writable:

  limactl start --name=dotnet-sandbox --mount-only .:w dotnet-sandbox.yaml

  Follow the output instructions for entering the VM’s shell:

  limactl shell dotnet-sandbox

  Other commands

  • Stop: limactl stop dotnet-sandbox
  • Delete: limactl delete dotnet-sandbox

  Setup the commit config for the coding agent:

  git config --global user.name "AI Agent"
  git config --global user.email "agent@internal.sandbox"

  Codex cannot push to git remotes without access, but to further enforce Codex from being able to push a rule can be added: (.rules)

  {
  	"rules": [
  	    {
  		    "pattern": ["git", "push"],
  		    "action": "forbidden"
  	    }
  	]
  }