Namespaces
Linux namespaces provide process-level isolation for each agent. Every agent runs in its own set of namespaces, created at spawn time.
Namespaces Used
| Namespace | Flag | What It Isolates |
|---|---|---|
| PID | CLONE_NEWPID | Process ID space; agents cannot see other agents' PIDs |
| Network | CLONE_NEWNET | Network interfaces and routing; nftables rules are applied here |
| Mount | CLONE_NEWNS | Filesystem mount points; the overlayfs workspace is mounted here |
PID Namespace
Each agent sees only its own process tree. It cannot enumerate or signal other agents' processes. The agent's init process (PID 1 in its namespace) is the spawned binary.
Benefits:
- Prevents agent from killing or ptrace-ing other agents
- Prevents
/procenumeration of other agents - Simplifies cleanup (killing PID 1 in the namespace kills the whole tree)
Network Namespace
A new network namespace is created for the agent:
- nftables rules are installed in this namespace only, not affecting the host
- The agent gets a virtual network interface (veth pair) connected to the host
nonepolicy: no interfaces other than loopback- Other policies: veth interface with appropriate nftables filtering
Mount Namespace
A new mount namespace is created for the agent:
- The overlayfs workspace is mounted here
- The base filesystem is read-only in this namespace
- Only the agent's upper layer (workspace) is writable
agentd's mounts are not visible from inside the namespace
Interaction with Other Layers
Namespaces work alongside the other enforcement layers:
| Layer | Namespace Interaction |
|---|---|
| seccomp | Applied inside the PID namespace |
| AppArmor | Applied to the binary exec'd inside the mount namespace |
| cgroups | Applied to the cgroup containing the PID namespace init |
| nftables | Applied inside the network namespace |
User Namespace (Future)
User namespaces (CLONE_NEWUSER) are not currently used. Adding them would allow agents to run as "root" inside their namespace without any host privileges. This is planned for a future phase.