I'm a Diploma Student. I Built an AI Agent Sandbox in 2–3 Days Using setfacl

Hrutav Modha — Mon, 23 Mar 2026 17:31:54 +0000

I'm in 4th semester Diploma in Computer Engineering.

I don't know AutoGen, CrewAI, or Docker.

I had a problem, sat at my PC, and solved it.

The Problem

I was running agentic workflows via Gemini CLI using a markdown task file.

Wanted a loop: Developer → Tester → Reviewer.

Issue: Tester could read implementation.

So instead of:

"Does this satisfy the spec?"

It asked:

"Does this match the code?"

That's not testing — it's validation bias. I saw it happen: wrong code passed
because tests were influenced by source.

"Tell AI not to read files" is not a security model. It's trust.

I needed enforcement.

The Idea

Linux already solves this: filesystem-level access control.

useradd --system --no-create-home --shell /usr/sbin/nologin kernelcage-agent
setfacl -m u:kernelcage-agent:--- tests/

If Tester physically cannot read src/, the problem is eliminated at the
OS level. No prompts. No containers. Just the kernel refusing the syscall.

The key insight: setfacl lets you set permissions per user without
touching anyone else's access. My own permissions stay untouched. Only
kernelcage-agent gets restricted.

Architecture

3 agents, enforced by kernel.

No need for 3 users. Agents run sequentially — use one unprivileged
daemon user (kernelcage-agent), flip ACL permissions per turn using
setfacl before handing control to each agent.

Agent	TASKS.md	REVIEW.md	src/	tests/
Developer	R	R	R+W	none
Tester	R	R	none	R+W
Reviewer	R+W	R+W	R	R

Developer cannot read tests/ — kernel refuses the call
Tester cannot read src/ — derives tests only from spec, not implementation
Reviewer sees all, modifies only coordination files

Execution:

sudo -u kernelcage-agent bash -c "<generated_command>"

No sudo, no password — privilege escalation fails instantly at OS level.

The permission flip in Python looks like this:

def mark_no_access(path):
    os.system(f"setfacl -R -m u:kernelcage-agent:--- {path}")
    os.system(f"setfacl -R -d -m u:kernelcage-agent:--- {path}")

def mark_write_access(path):
    os.system(f"setfacl -R -m u:kernelcage-agent:rwx {path}")
    os.system(f"setfacl -R -d -m u:kernelcage-agent:rwx {path}")

def mark_read_only(path):
    os.system(f"setfacl -R -m u:kernelcage-agent:rx {path}")
    os.system(f"setfacl -R -d -m u:kernelcage-agent:rx {path}")

The -d flag sets default ACLs so newly created files inside a directory
automatically inherit the same restrictions. Without it, a file created by
the Developer agent would have no ACL and be readable by everyone.

Protocol

Two markdown files. That's the entire inter-agent communication layer.

TASKS.md — forward progress

- [ ] Task 1
- [x] Task 2

REVIEW.md — bug channel

When this file exists, it overrides normal flow across all three agents.

Present → fix described bug first
Absent → continue with next task

No APIs. No message queues. Files are the protocol.

Feedback Loop

TASKS.md → Developer → src/
           (no test access)
                ↓
           Tester → tests/
           (no src access)
                ↓
           Reviewer → runs suite
                ↓
          FAIL        PASS
           ↓            ↓
      append          mark done
      REVIEW.md       commit + push
           ↓
      Developer
      reads bug,
      fixes src/

No human intervention in the normal path.

Prior Art Search

Searched GitHub, ArXiv, Google Scholar, HackerNews, Reddit, and
documentation of every major agentic framework.

Findings:

All frameworks use either prompt isolation or containers
None applied native Linux filesystem permissions to isolate agents from each other in a coding loop

Closest match: A March 2026 academic paper on a hospital agent OS using
the exact same mechanism — Linux user isolation, ACL-based file permissions,
inter-agent coordination via document writes — for medical agents under
HIPAA compliance requirements.

Same architecture. Different domain. Published after this.

Current Status

Single Python script
Uses a predefined TASKS.md
One unprivileged daemon user
setfacl permission flipping per agent turn

No config system, no multi-provider support, no packaging yet.

Works.

GitHub: https://github.com/hrutavmodha/ai-sandboxer

(Note: setfacl requires ACL support enabled on your filesystem.
Check with mount | grep acl. If not enabled:
sudo mount -o remount,acl /)

Honest Note

Built in 2-3 days.

No prior framework knowledge. No Docker. No awareness of what the
"standard" solution was supposed to be.

Just looked at the problem and reached for what the OS already provides.

Sometimes not knowing the established approach means you find a
different one.

If there's a flaw, I genuinely want to know.

Stars, issues, and brutal feedback all welcome.

DEV Community: Hrutav Modha