frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Show HN: Nono – Kernel-enforced sandboxing for AI agents

https://nono.sh
4•decodebytes•10h ago
Hey HN

Luke here.

I built nono and got it out quick then I expected, in response to the openclaw carnage, but its use is beyond openclaw.

The problem: AI agents execute code on your machine. Prompt injections, hallucinations, or compromised tools can read ~/.ssh, exfiltrate credentials, or worse. Application-level sandboxes can be bypassed by the code they're sandboxing.

I have been around security for a long old time now (i started something called sigstore a few years back) and have seen this pattern so many times before.

The solution pitch: nono uses OS-level isolation that userspace can't escape:

Linux: Landlock LSM (kernel 5.13+) macOS: Seatbelt (sandbox_init) After sandbox + exec(), there's no syscall to expand permissions. The kernel says no.

What it does:

nono run --read ./src --allow ./output -- cargo build nono run --profile claude-code -- claude nono run --allow . --net-block -- npm install nono run --secrets api_key -- ./my-agent

Filesystem: read/write/allow per directory or file Network: block entirely (per-host filtering planned) Secrets: loads from macOS Keychain / Linux Secret Service, injects as env vars, zeroizes after exec

Technical details:

Written in Rust. ~2k LOC. Uses the landlock crate on Linux, raw FFI to sandbox_init() on macOS. Secrets via keyring crate. All paths canonicalized at grant time to prevent symlink escapes.

Landlock ABI v4+ gives us TCP port filtering. Older kernels fall back to full network allow/deny. macOS Seatbelt profiles are generated dynamically as Scheme-like DSL strings.

Limitations:

macOS: Currently allows all reads to make executables work. Tightening in next release. Linux: Landlock doesn't cover everything (no UDP filtering until recent kernels, no syscall filtering - that's seccomp territory) No Windows support (yet?)

Origin:

Built this for OpenClaw (AI agent platform handling Telegram/WhatsApp messages). Needed real isolation, not "please don't read this file" isolation. Generalized it because every agent runner has this problem.

GitHub: https://github.com/lukehinds/nono Docs: https://docs.nono.dev Site: https://noto.sh

Apache 2.0. Would love feedback on the security model, especially from folks who've worked with Landlock or Seatbelt. Having said that, the code needs a good tidy and I am not exactly proud of it, so go easy on me!

Comments

sukinai•10h ago
This hits the real problem: once agents execute code, “please don’t read ~/.ssh” is not a security control. Kernel-enforced isolation + tight allowlists is. The secrets workflow (keychain/secret service → env → zeroize) is especially practical. Biggest thing I’d want as a user is very explicit docs on the remaining gaps (macOS read-permissive mode, procfs/env/subprocess behavior, and what Landlock can’t cover yet vs seccomp). If that’s clear, this could be a default wrapper for local agent runs.
grigio•8h ago
nice project, it seems the only non-broken websites are Github and nono.sh
gossterrible•7h ago
I think with access to bash any AI agent can write a basic python/bash script and run it to evade you sandbox , Right ?
decodebytes•39m ago
Good question - and the answer is no, they cannot escape. nono uses Landlock (Linux) and Seatbelt (macOS) - these are kernel-level security mechanisms. When a sandbox is created:

All child processes inherit the restrictions - if the agent spawns Python, Bash, or compiles and runs a binary, that process is equally sandboxed There is no API to remove or expand the sandbox - once restrict_self() (Landlock) or sandbox_init() (Seatbelt) is called, the restrictions are permanent for that process tree.

Show HN: NanoClaw – “Clawdbot” in 500 lines of TS with Apple container isolation

https://github.com/gavrielc/nanoclaw
325•jimminyx•9h ago•102 comments

Show HN: Wikipedia as a doomscrollable social media feed

https://xikipedia.org
129•rebane2001•7h ago•51 comments

Show HN: Sandbox Agent SDK – unified API for automating coding agents

https://github.com/rivet-dev/sandbox-agent
37•NathanFlurry•4d ago•2 comments

Show HN: ÆTHRA – Writing Music as Code

74•CzaxTanmay•3d ago•18 comments

Show HN: Claw-daw – offline, deterministic terminal-first DAW

https://www.clawdaw.com
2•soyadiaoune•3h ago•1 comments

Show HN: Voiden – an offline, Git-native API tool built around Markdown

https://github.com/VoidenHQ/voiden
42•dhruv3006•16h ago•25 comments

Show HN: ContractShield – AI contract analyser for freelancers

https://contractshield-production.up.railway.app
2•Judd_W•4h ago•0 comments

Show HN: Minimal – Open-Source Community driven Hardened Container Images

https://github.com/rtvkiz/minimal
111•ritvikarya98•1d ago•28 comments

Show HN: Is AI "good" yet? – tracking HN sentiment on AI coding

https://www.is-ai-good-yet.com/?per_page=50
7•ilyaizen•5h ago•0 comments

Show HN: My Open Source Deep Research tools beats Google and I can Prove it

https://github.com/IamLumae/Project-Lutum-Veritas
9•LutumVeritas•12h ago•1 comments

Show HN: Moltbook – A social network for moltbots (clawdbots) to hang out

https://www.moltbook.com/
260•schlichtm•4d ago•861 comments

Show HN: Zuckerman – minimalist personal AI agent that self-edits its own code

https://github.com/zuckermanai/zuckerman
68•ddaniel10•18h ago•48 comments

Show HN: I trained a 9M speech model to fix my Mandarin tones

https://simedw.com/2026/01/31/ear-pronunication-via-ctc/
459•simedw•2d ago•145 comments

Show HN: Phage Explorer

https://phage-explorer.org/
121•eigenvalue•2d ago•34 comments

Show HN: Echo – Local-first kindle-like reader with annotations and LLM chat

https://github.com/tibi-iorga/echo-reading
2•tb8424•10h ago•0 comments

Show HN: OpenRAPP – AI agents autonomously evolve a world via GitHub PRs

https://kody-w.github.io/openrapp/rappbook/
2•bothangles•10h ago•0 comments

Show HN: Nono – Kernel-enforced sandboxing for AI agents

https://nono.sh
4•decodebytes•10h ago•4 comments

Show HN: You Are an Agent

https://youareanagent.app
4•robkop•11h ago•0 comments

Show HN: Amla Sandbox – WASM bash shell sandbox for AI agents

https://github.com/amlalabs/amla-sandbox
143•souvik1997•2d ago•73 comments

Show HN: OpenJuris – AI legal research with citations from primary sources

https://openjuris.org/
18•Zachzhao•1d ago•8 comments

Show HN: Kolibri, a DIY music club in Sweden

https://kolibrinkpg.com/
142•EastLondonCoder•3d ago•30 comments

Show HN: Claude Confessions – a sanctuary for AI agents

https://claudeconfessions.com/
4•moona3k•12h ago•0 comments

Show HN: Memory plugin for OpenClaw; cross-platform context sync with major LLMs

https://www.memoryplugin-for-openclaw.com/
2•gdad•12h ago•0 comments

Show HN: Subtitle Finder – Find perfectly synced subtitles for your video files

https://subtitlefinder.com
2•lord5et•13h ago•0 comments

Show HN: An extensible pub/sub messaging server for edge applications

https://github.com/narwhal-io/narwhal
44•ortuman•4d ago•0 comments

Show HN: The Pixel Funeral – A cemetery for dead design concepts

https://pixel-funeral.vercel.app
2•aa-on-ai•15h ago•0 comments

Show HN: Stumpy – Secure AI Agents You Can Text

https://stumpy.ai/blog/secure-ai-agents-you-can-text
2•bluesnowmonkey•15h ago•0 comments

Show HN: Pinecone Explorer – Desktop GUI for the Pinecone vector database

https://www.pinecone-explorer.com
30•arsentjev•5d ago•5 comments

Show HN: Taracode – Open-source DevOps AI assistant that runs 100% locally

https://github.com/tara-vision/taracode
3•taravision•15h ago•1 comments

Show HN: A private FIRE calculator suite that runs in the browser

https://firenum.com/
5•Mikulas_Tomanka•17h ago•1 comments