AI Agents · Lesson

Security Policies for Code Execution

Capability restrictions, network isolation, file system limits, and timeouts.

Why Policies Aren't Enough by Themselves

Telling the LLM 'don't access the network' is not a security control — it is a hint. The LLM might ignore it, be jailbroken, or the generated code might indirectly violate the rule.

Real security policies must be enforced at the execution layer, not only in the prompt.

Capability Restrictions Overview

Capability restrictions limit what a sandboxed process can do at the OS level. Linux capabilities split root privilege into fine-grained abilities that can be dropped individually.

Dropping all capabilities except the minimum needed is called principle of least privilege.

import docker
client = docker.from_env()

# Drop all Linux capabilities
output = client.containers.run(
    'python:3.12-slim',
    'python -c "print(\"safe run\")"',
    cap_drop=['ALL'],
    network_disabled=True,
    mem_limit='256m',
    auto_remove=True
)
print(output.decode())

All lessons in this course

Docker-Based Agent Sandboxes
VM Isolation for High-Security Code Agents
E2B and Cloud Sandbox Services
Security Policies for Code Execution

← Back to AI Agents