[samhita-alla]

Supply chain attacks are a reasonable use case. But do they require VM-level isolation?

For example, what about a sandbox that isolates arbitrary user code in its own process using kernel-level primitives like user namespaces, Landlock and seccomp? That's the same class of problem Claude Code and Codex are solving when they execute model-generated commands, and it should also limit filesystem and network access as you mentioned. It's process-level isolation rather than VM-level isolation, but it still provides meaningful containment. What do you think?

My concern is that people often default to VM-level isolation without really thinking through what it's meant to protect against and whether they actually need it. It comes with a fairly heavy infra burden and isn't necessarily the right answer for every use case.

[cpburns2009]

I think process namespaces is what both Docker and Podman use along with cgroups for isolation. It should provide meaningful containment, and I was originally pursing using rootless Podman. But after hearing about the Copy Fail and recent container escape vulnerabilities, I'm concerned that is not enough. That's why I've opted for VM-level isolation, but at a more convenient level using KVM than full-fledged VMware VMs. I admit I'm not an expert in this space so maybe I'm overly cautious.