Discussion
NanoClaw's Architecture is a Masterclass in Doing Less
juancn: "Perfection is finally attained, not when there's nothing else to add, but when there's nothing else to remove"- Antoine de Saint-Exupéry
grim_io: Could have started with his name, jeez.jk
tao_oat: Unfortunately this has all the hallmarks of AI writing, which made me a lot less motivated to read it.
torrienaylor: I really like solving the prompt injection credential exfiltration risk by never giving the container real keys in the first place. I wonder how prolific that pattern will become.
nyrikki: > The agent inside the container runs with bypassPermissions — it can use Bash, write files, do whatever it wants. But "whatever it wants" is constrained by what the OS lets it see. No application-level permission checks needed.While containers can be useful for reducing privileges, that assumption isn’t safe, remember that the only thing namespaces away is that which supports namespaces and that by themselves, namespaces are not security features.A super critical part I didn’t see or missed is the importance of changing UID, the last line of [0] will show one reason.Remember that the container users has elevated privileges unless you the user explicitly drop this privileges.I applaud the effort at hardening, but containers have mostly been successful because the most popular apps like nginx operate under a traditional cohosting system and take responsibility for privilege dropping.There are tons of kernel calls, ldpreload tricks etc… that are well known and easily to find with exploration.Even dropping elevated privileges and setting no new priv, still isn’t a jail.Without using separate UIDs don’t expect any real separation at all.[0] https://www.kernel.org/doc/html/latest/admin-guide/namespace...
lizardking: I can hear this in Leonard Nimoy's voice from Civ IV
