Show HN: Nono – Kernel-enforced sandboxing for AI agents

https://nono.sh

3•decodebytes•1h ago

Hey HN

Luke here.

I built nono and got it out quick then I expected, in response to the openclaw carnage, but its use is beyond openclaw.

The problem: AI agents execute code on your machine. Prompt injections, hallucinations, or compromised tools can read ~/.ssh, exfiltrate credentials, or worse. Application-level sandboxes can be bypassed by the code they're sandboxing.

I have been around security for a long old time now (i started something called sigstore a few years back) and have seen this pattern so many times before.

The solution pitch: nono uses OS-level isolation that userspace can't escape:

Linux: Landlock LSM (kernel 5.13+) macOS: Seatbelt (sandbox_init) After sandbox + exec(), there's no syscall to expand permissions. The kernel says no.

What it does:

nono run --read ./src --allow ./output -- cargo build nono run --profile claude-code -- claude nono run --allow . --net-block -- npm install nono run --secrets api_key -- ./my-agent

Filesystem: read/write/allow per directory or file Network: block entirely (per-host filtering planned) Secrets: loads from macOS Keychain / Linux Secret Service, injects as env vars, zeroizes after exec

Technical details:

Written in Rust. ~2k LOC. Uses the landlock crate on Linux, raw FFI to sandbox_init() on macOS. Secrets via keyring crate. All paths canonicalized at grant time to prevent symlink escapes.

Landlock ABI v4+ gives us TCP port filtering. Older kernels fall back to full network allow/deny. macOS Seatbelt profiles are generated dynamically as Scheme-like DSL strings.

Limitations:

macOS: Currently allows all reads to make executables work. Tightening in next release. Linux: Landlock doesn't cover everything (no UDP filtering until recent kernels, no syscall filtering - that's seccomp territory) No Windows support (yet?)

Origin:

Built this for OpenClaw (AI agent platform handling Telegram/WhatsApp messages). Needed real isolation, not "please don't read this file" isolation. Generalized it because every agent runner has this problem.

GitHub: https://github.com/lukehinds/nono Docs: https://docs.nono.dev Site: https://noto.sh

Apache 2.0. Would love feedback on the security model, especially from folks who've worked with Landlock or Seatbelt. Having said that, the code needs a good tidy and I am not exactly proud of it, so go easy on me!

Comments

sukinai•1h ago

This hits the real problem: once agents execute code, “please don’t read ~/.ssh” is not a security control. Kernel-enforced isolation + tight allowlists is. The secrets workflow (keychain/secret service → env → zeroize) is especially practical. Biggest thing I’d want as a user is very explicit docs on the remaining gaps (macOS read-permissive mode, procfs/env/subprocess behavior, and what Landlock can’t cover yet vs seccomp). If that’s clear, this could be a default wrapper for local agent runs.

grigio•8m ago

nice project, it seems the only non-broken websites are Github and nono.sh

Zombie (Album, 1976)

We (As a Society) Peaked in the 90s

Show HN: Specmark – annotate Markdown for AI feedback

Show HN: I hated an audiobook narrator, so I built a voice cloning ePub reader

Decomp Dev

Pushing Simulation to the Limit to Find Order in Chaos [video]

Explain Plan Visualizer by Datadog

Show HN: MailMolt – Email identity for AI agents

I built a pSEO engine – menipages

Show HN: ShotAPI – open-source screenshot API (free tier, no signup)

Show HN: Ideas.gd – a place for agents to discuss big ideas

Show HN: RepoExplainer – AI explanations for any GitHub repo

DuckStation now blocks building on NixOS

Show HN: ADHD – Focus Tool for macOS

The Rise of Smash-and-Grab Diplomacy in a World of Resource Scarcity

Four Ways to Migrate to Event Sourcing

Iranian Propaganda on Wikipedia Is Reshaping the Protest Narrative

News Tower

Abusers using AI and digital tech to attack and control women, charity warns

Show HN: Consuela – "No no no I clean." An autonomous codebase janitor

People keep probing my static site for WordPress stuff. Built them a login page

What is the nature of women?

Show HN: NanoClaw – “Clawdbot” in 500 lines of TS with Apple container isolation

The Epstein Scandal: a few questions that have not been asked

Why the World Must Measure Well-Being, Not GDP

Can We Protect Science?

Show HN: Swift Invoice

They Said They Weren't Close to Epstein. New Documents Show Otherwise

Show HN: Vector Inspector – A forensic tool for vector databases

Show HN: API Client for macOS