First, do everything in a virtual machine, and only put on that machine the specific data you're using. Give the agent another user account and put both you and it in a common group. Chgrp g+rX your origin data directory, chgrp g+rwX a working directory.
If you're cautious you might also want to just block all network traffic for that user and allow it in a whitelist basis. It is fairly quick to converge on a set of sites you are happy for it to access. I would still be forcing it through a logging mitm proxy if it is accessing untrusted internet data. For intranet destinations a non-mitm proxy avoids collecting authentication creds.
To blacklist all traffic start with
sudo iptables -A OUTPUT -m owner --gid-owner NONET -j REJECT
I would stop it opening ports too. Might also cut off it's access to suid binaries by `setfacl -m u:agent:x /path/to/suid'.
These are not about security so much as awareness and explicit authorisation.
thank you. I probably have been playing a little loose. I did not realize that they could use my docker group to fuck around with everything. Well, I AM using codex as a vs code plugin. I dont know if that gives me any protection or not.
For some very basic level protection use devcontainers and install the agent into that....
A better approach is to use the Docker Sandboxes feature. Locks things way down so that the agent only has access to the files you give it and you can lock down its network access too. Also does things like keep any credentials outside of the container (microvm actually).
If you're cautious you might also want to just block all network traffic for that user and allow it in a whitelist basis. It is fairly quick to converge on a set of sites you are happy for it to access. I would still be forcing it through a logging mitm proxy if it is accessing untrusted internet data. For intranet destinations a non-mitm proxy avoids collecting authentication creds.
To blacklist all traffic start with sudo iptables -A OUTPUT -m owner --gid-owner NONET -j REJECT
I would stop it opening ports too. Might also cut off it's access to suid binaries by `setfacl -m u:agent:x /path/to/suid'.
These are not about security so much as awareness and explicit authorisation.
You can do similar things with containers.