Landlock Your Vibe Coding

We’ve all heard the horror stories where an unsandboxed coding agent deletes the user’s entire home directory. As a mitigation, many vibe coding tools are now using Docker to contain the agent’s actions.

Unfortunately, Docker is not a good tool to keep the vibe coding agents at bay. To quote Docker’s own documentation (emphasis mine):

The docker group grants root-level privileges to the user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

So while it keeps the agent from doing harm outside of the Docker container, installing Docker also removes the security boundary between your normal user and root. Docker is not something that your normal user account should have access to.

So as a stop-gap measure, for systems where you don’t want to install Docker, here is a little ad-hoc sandboxing script which runs Google’s gemini-cli in a Landlock sandbox:

#!/bin/sh

RDIR=execute,read-file,read-dir

# A reasonable subset of write accesses
RWDIR=$RDIR,write-file,remove-dir,remove-file,make-dir,make-reg,make-sock,make-fifo,make-sym,refer,truncate

if [ "$PWD" = "$HOME" ]; then
    echo "Run this from your project directory only"
    exit 1
fi

mkdir -p $HOME/.gemini  # ensure this exists, no-op if it preexists

setpriv \
  --landlock-access fs \
  --landlock-rule path-beneath:$RWDIR:$HOME/.gemini \
  --landlock-rule path-beneath:$RDIR:/etc \
  --landlock-rule path-beneath:$RDIR:/bin \
  --landlock-rule path-beneath:$RDIR:/usr \
  --landlock-rule path-beneath:$RDIR:/lib \
  --landlock-rule path-beneath:$RWDIR:$PWD \
  /usr/bin/gemini

The tool used here it setpriv(1) from the util-linux package.

Obligatory warning: This Landlock invocation restricts access to the file system: It can keep an agent from reading your SSH keys and from seeing of modifying the content of your files outside ~/.gemini and the current directory. It does not restrict access to networking, Unix signals and a variety of other things. You still should not store your prod database credentials within the agent’s reach.

Comments