Implement a Desktop Agent Sandbox: Practical Guide Using Containers and Seccomp

Why desktop autonomous agents need rock-solid sandboxes now

Autonomous desktop agents (think Anthropic Cowork and similar tools) promise huge productivity gains by manipulating files, running workflows, and automating workflows on a user’s machine. That power is also a risk: an agent with file-system and network access can exfiltrate data, install persistent backdoors, or escalate privileges. If you build or operate these agents, you need a practical, reproducible sandbox pattern that balances usability and safety.

This guide shows how to design and implement a desktop agent sandbox using modern containers, seccomp, Linux capabilities, namespaces, and other kernel-level controls. It focuses on 2026-era best practices—cgroups v2, Landlock and LSM stacking, eBPF observability—and gives concrete commands, JSON snippets, and a deployable architecture you can adapt to your environment.

Executive summary — what you’ll get

• A clear threat model for desktop agents.
• An architecture pattern: supervisor + ephemeral container per task.
• Step-by-step implementation using rootless containers, seccomp, capability drops, and mount controls.
• Monitoring, testing, and advanced defenses (Landlock, eBPF, network proxies).

Context: the problem in 2026

Desktop agents in 2025–2026 moved from CLI helpers to full-featured desktop assistants. As Forbes noted when describing tools like Anthropic Cowork, agents are being given direct file-system access to organize and modify files for non-technical users.

“Anthropic launched Cowork… giving knowledge workers direct file system access for an agent that can organize folders, synthesize documents and generate spreadsheets.”

That functionality is valuable, but we must assume the agent's runtime or its third-party plugins are at risk. Building a sandbox that enforces least privilege while preserving workflow is the central challenge.

Threat model (start here)

Before building controls, define what you want to stop. Typical threats for a desktop agent include:

• Data exfiltration: reading sensitive files and sending them over the network.
• Privilege escalation: exploiting kernel/system services to gain higher privileges.
• Persistence: writing startup scripts, services, or cron jobs.
• Lateral movement: accessing other accounts, SSH keys, or network shares.
• Runtime exploitation: executing arbitrary binaries or loading unsafe native modules.

Design principles (defense in depth)

• Least privilege: only grant the minimal file and network permissions needed for a task.
• Ephemeral execution: run tasks in short-lived containers with writable overlays that are discarded.
• Multiple control layers: combine namespaces, seccomp, capabilities, cgroups, and LSMs like Landlock or AppArmor.
• Consent & audit: require user consent for elevated actions and log all activities for audit and rollback.
• Fail-safe defaults: deny by default—explicitly allow only what the agent must do.

Architecture: supervisor + per-task ephemeral containers

Use a small, trusted supervisor (a system service or user agent process) that:

• Validates and applies user-granted permissions.
• Starts ephemeral containers for each agent task.
• Applies seccomp, capabilities, namespaces, and cgroups at container start.
• Proxies network traffic through a DPI or allow-listing proxy.
• Collects logs and telemetry for auditing and anomaly detection.

Why ephemeral containers?

Ephemeral containers mean any compromise is short-lived. Containers are created per task, with a fresh overlayfs and destroyed after completion—no persistent storage unless explicitly approved by the user.

Prerequisites and runtime choices (2026)

Prefer container runtimes and kernels that support modern sandboxing features:

• Kernel: Linux 6.x+ — better eBPF, LSM stacking, and Landlock maturity in 2025–2026.
• Container runtime: Podman rootless or Docker with user namespaces; containerd + runc is fine for controlled environments.
• cgroups: cgroups v2 (unified) for resource limits and io control.
• Policies: seccomp v2 JSON, Landlock for file-access controls, AppArmor/SELinux optional depending on distro.

Step-by-step implementation

1) Build a minimal agent image

Start from a minimal base (distroless or Alpine) and run as a non-root user inside the container. Reducing available system utilities decreases attack surface.

<!-- Dockerfile snippet -->
FROM alpine:3.19
RUN addgroup -S agent && adduser -S -G agent agent
USER agent
WORKDIR /home/agent
COPY agent-binary /usr/local/bin/agent
ENTRYPOINT ["/usr/local/bin/agent"]

2) Use rootless containers and user namespaces

Rootless containers prevent container root from mapping to host root. With Podman this is straightforward:

podman run --rm --userns=keep-id --security-opt label=disable ...

Rootless reduces blast radius; if you must run privileged operations, require an explicit, auditable elevation step in the supervisor.

3) Drop capabilities

Use capability dropping to remove unnecessary kernel powers. The most conservative approach is to drop all and add back only what’s needed.

podman run --cap-drop=ALL --cap-add=CAP_NET_BIND_SERVICE ...

For desktop agents that don’t need raw device or kernel control, do not add CAP_SYS_ADMIN, CAP_SYS_MODULE, CAP_NET_RAW, or CAP_DAC_READ_SEARCH.

4) Apply a seccomp profile

Seccomp restricts syscalls a process may make. Begin with the Docker/Podman default and tighten it for your workload. Below is a small illustrative seccomp JSON that blocks dangerous calls; use it as a starting point and test thoroughly.

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "archMap": [{"architecture": "SCMP_ARCH_X86_64","subarchitectures": ["SCMP_ARCH_X86","SCMP_ARCH_X32"]}],
  "syscalls": [
    {"names": ["read", "write", "exit", "exit_group", "futex", "nanosleep", "clock_gettime"], "action": "SCMP_ACT_ALLOW"},
    {"names": ["openat", "close", "stat", "fstat", "lseek"], "action": "SCMP_ACT_ALLOW"}
  ]
}

Notes:

• Seccomp policies are application-specific. Use syscall tracers (strace) during testing to expand allowed calls safely.
• For complex operations (spawn editors, interpreters), you'll need a larger allow-list.
• Consider using seccomp filters generated from observed good behavior and tighten iteratively.

5) Control the filesystem with bind mounts and overlayfs

Only bind the exact directories the agent needs. Make user-sensitive paths unavailable by default. For writable areas, use an in-memory overlay or tmpfs that is destroyed after the task.

podman run --read-only \
  --tmpfs /tmp:rw,size=50M \
  -v /home/user/Documents/allowed:ro:/work:ro \
  --security-opt seccomp=agent-seccomp.json ...

Use an overlay so the agent can write during the task but those writes are not persisted unless the supervisor explicitly promotes them. This lets you present a “preview” of changes and ask for user approval before committing.

6) Network control — proxy or isolate

By default, deny outbound network access. If the agent needs network, route traffic through a supervised, monitored proxy that enforces allow-lists and content inspection. Simple options:

• Disable network entirely: --network=none.
• Use a user-space proxy that whitelists hosts and inspects content.
• Use firewall rules (nftables/iptables) per-container network namespaces.

7) Limit resources with cgroups v2

Prevent noisy or denial-of-service behavior by setting memory, CPU, and I/O limits:

podman run --memory=256m --cpus=0.5 ...

Use cgroups v2 to cap devices and io latency as well. In 2026, most distros default to cgroups v2—leverage unified controllers for predictable limits.

8) Add Landlock (optional but powerful)

Landlock allows fine-grained user-space file access policies. Use it to deny access to sensitive directories even if the container tries to remount them. In 2025–2026 Landlock has matured and is increasingly available; integrate it at supervisor startup for per-process file constraints.

9) AppArmor/SELinux for extra isolation

Platform LSMs like AppArmor or SELinux add another defense layer. Use distro-specific profiles to constrain capabilities and mount points. LSM stacking now allows you to use Landlock alongside other LSMs in many kernels.

GUI and desktop integration

Agents need to read/write documents and interact with the desktop. Avoid giving the agent direct access to X11 sockets or Wayland compositor by default—those channels are high-risk.

• Use xdg-desktop-portal for controlled file open/save dialogs that mediate individual file access.
• For Wayland, prefer passing a restricted portal token or using a controlled surface provider that only permits rendering without input injection.
• If you must use X11, wrap it with an intermediary like xpra or a VNC-like stream to prevent credential and cookie leaks.

Monitoring, logging, and detection

Sandboxing is not perfect. Assume breaches will occur and build detection:

• Collect container lifecycle logs and syscall denials (auditd + seccomp logs).
• Use eBPF-based observability (Falco, Cilium Hubble, or custom bpftrace scripts) to detect suspicious behavior in 2026—eBPF is the dominant observability stack now.
• Log network flows at the proxy and correlate with file accesses to detect exfiltration patterns.

Testing and validation

Test your sandbox comprehensively:

• Write behavioral tests that exercise allowed workflows and confirm the container can’t access denied paths.
• Run fuzzers and syscall stress tests to find holes in seccomp profiles and capability boundaries.
• Use red-team style tests that simulate exfiltration attempts and persistence strategies.

Example: protecting Documents while allowing edits

Scenario: an agent needs to read and edit a subset of Documents but must not access SSH keys or hidden config directories.

1. Supervisor asks the user to authorize /home/user/Documents/projectA (read/write ephemeral) and denies /home/user/.ssh, /home/user/.gnupg.
2. Supervisor creates an ephemeral overlay mount: lowerdir=/home/user/Documents/projectA (ro), upperdir=tmpfs, merged=/workspace.
3. Podman runs the agent container read-only, with /workspace mounted as read-write (the overlay) and seccomp profile applied.
4. Agent edits files in /workspace. Supervisor shows a diff and asks user to commit changes. If approved, the supervisor applies a controlled chrooted copy-back routine to persist only whitelisted files.
5. All network traffic is routed via a proxy with a strict whitelist (e.g., only company SaaS endpoints).

Advanced topics and 2026 trends

In 2026 the following trends are relevant:

• Landlock adoption: Landlock has become practical for user-space file policies and is widely supported in distros.
• eBPF for detection: Observability and run-time policy enforcement increasingly use eBPF rather than only auditd.
• Confidential compute: For high-risk assets, remote execution in hardware-backed enclaves (SGX-type flows or AMD SEV) is becoming common for certain workflows.
• Policy-as-code: Declarative policies (Rego/OPA) driving runtime enforcement and UI consent are the norm in enterprise deployments.

Operational checklist

• Use rootless containers or user namespaces.
• Drop all capabilities; add only what’s required.
• Apply a tight seccomp profile and iterate from observed good behavior.
• Mount only necessary directories, use overlayfs for ephemeral writes.
• Disable network by default; use a proxy/allow-list where needed.
• Limit resources with cgroups v2.
• Leverage Landlock/AppArmor for additional file and action restrictions.
• Log and monitor with eBPF-based tooling and correlate telemetry.
• Test with fuzzers, red-team exercises, and syscall tracing.

Limitations and trade-offs

No sandbox is perfect. Tightening seccomp or restricting syscalls may break legitimate behavior (editors, interpreters, native modules). The balance between usability and safety requires iteration and user-facing permission flows. Expect to refine policies based on real-world usage metrics captured by your supervisor.

Final notes — trust but verify

Desktop agents like Cowork offer real productivity gains, but misconfigured permissions can cause significant risk. In 2026, the best practice is layered sandboxing: containers for process isolation, seccomp for syscall filtering, capabilities for kernel power control, and Landlock/AppArmor for file access policies—plus strong monitoring powered by eBPF.

Start small: implement an ephemeral container per task, deny everything by default, and add allowances only through a supervised, auditable UI. Iterate with testing and monitoring. That approach will let you ship useful agent features while keeping your users and their data safe.

Actionable next steps

1. Set up a proof-of-concept supervisor that starts rootless Podman containers with --read-only and a minimal seccomp profile.
2. Create an overlayfs pattern for ephemeral edits and implement a commit/approval flow.
3. Integrate eBPF-based monitoring (Falco or custom) and generate alerts for denied syscalls and unexpected network destinations.
4. Run a red-team exercise that simulates an agent exploitation and iterate on your policies.

Call to action

If you’re building or evaluating desktop agent features, start a small sandbox POC this week using the steps above. Need a ready-to-run starter kit (Podman manifests, baseline seccomp, overlay scripts, and eBPF detection rules)? Sign up for the codewithme.online sandbox template repo and get a working example you can adapt to your environment—secure by default, auditable, and designed for production.

Related Reading

• Makeup for Glasses Wearers: Boots Opticians’ Campaign Inspires Practical Eye Makeup Tips
• How to Care for Down and Puffer Outerwear (Including Pet Coats)
• Sensory Gift Packs for New Parents: Soft Textiles, Calming Lights & Quiet Crafts
• Design a Ganondorf Lift: 3D-Printable Parts and Building Guide for Clubs
• Betting, Stocks and Soccer: Using Cashtags to Track Club-Related Market Moves