I'm in 4th semester Diploma in Computer Engineering.
I don't know AutoGen, CrewAI, or Docker.
I had a problem, sat at my PC, and solved it.
The Problem
I was running agentic workflows via Gemini CLI using a markdown task file.
Wanted a loop: Developer → Tester → Reviewer.
Issue: Tester could read implementation.
So instead of:
- "Does this satisfy the spec?"
It asked:
- "Does this match the code?"
That's not testing — it's validation bias. I saw it happen: wrong code passed
because tests were influenced by source.
"Tell AI not to read files" is not a security model. It's trust.
I needed enforcement.
The Idea
Linux already solves this: filesystem-level access control.
useradd --system --no-create-home --shell /usr/sbin/nologin kernelcage-agent
setfacl -m u:kernelcage-agent:--- tests/
If Tester physically cannot read src/, the problem is eliminated at the
OS level. No prompts. No containers. Just the kernel refusing the syscall.
The key insight: setfacl lets you set permissions per user without
touching anyone else's access. My own permissions stay untouched. Only
kernelcage-agent gets restricted.
Architecture
3 agents, enforced by kernel.
No need for 3 users. Agents run sequentially — use one unprivileged
daemon user (kernelcage-agent), flip ACL permissions per turn using
setfacl before handing control to each agent.
| Agent | TASKS.md | REVIEW.md | src/ | tests/ |
|---|---|---|---|---|
| Developer | R | R | R+W | none |
| Tester | R | R | none | R+W |
| Reviewer | R+W | R+W | R | R |
- Developer cannot read
tests/— kernel refuses the call - Tester cannot read
src/— derives tests only from spec, not implementation - Reviewer sees all, modifies only coordination files
Execution:
sudo -u kernelcage-agent bash -c "<generated_command>"
No sudo, no password — privilege escalation fails instantly at OS level.
The permission flip in Python looks like this:
def mark_no_access(path):
os.system(f"setfacl -R -m u:kernelcage-agent:--- {path}")
os.system(f"setfacl -R -d -m u:kernelcage-agent:--- {path}")
def mark_write_access(path):
os.system(f"setfacl -R -m u:kernelcage-agent:rwx {path}")
os.system(f"setfacl -R -d -m u:kernelcage-agent:rwx {path}")
def mark_read_only(path):
os.system(f"setfacl -R -m u:kernelcage-agent:rx {path}")
os.system(f"setfacl -R -d -m u:kernelcage-agent:rx {path}")
The -d flag sets default ACLs so newly created files inside a directory
automatically inherit the same restrictions. Without it, a file created by
the Developer agent would have no ACL and be readable by everyone.
Protocol
Two markdown files. That's the entire inter-agent communication layer.
TASKS.md — forward progress
- [ ] Task 1
- [x] Task 2
REVIEW.md — bug channel
When this file exists, it overrides normal flow across all three agents.
- Present → fix described bug first
- Absent → continue with next task
No APIs. No message queues. Files are the protocol.
Feedback Loop
TASKS.md → Developer → src/
(no test access)
↓
Tester → tests/
(no src access)
↓
Reviewer → runs suite
↓
FAIL PASS
↓ ↓
append mark done
REVIEW.md commit + push
↓
Developer
reads bug,
fixes src/
No human intervention in the normal path.
Prior Art Search
Searched GitHub, ArXiv, Google Scholar, HackerNews, Reddit, and
documentation of every major agentic framework.
Findings:
- All frameworks use either prompt isolation or containers
- None applied native Linux filesystem permissions to isolate agents from each other in a coding loop
Closest match: A March 2026 academic paper on a hospital agent OS using
the exact same mechanism — Linux user isolation, ACL-based file permissions,
inter-agent coordination via document writes — for medical agents under
HIPAA compliance requirements.
Same architecture. Different domain. Published after this.
Current Status
- Single Python script
- Uses a predefined
TASKS.md - One unprivileged daemon user
-
setfaclpermission flipping per agent turn
No config system, no multi-provider support, no packaging yet.
Works.
GitHub: https://github.com/hrutavmodha/ai-sandboxer
(Note: setfacl requires ACL support enabled on your filesystem.
Check with mount | grep acl. If not enabled:
sudo mount -o remount,acl /)
Honest Note
Built in 2-3 days.
No prior framework knowledge. No Docker. No awareness of what the
"standard" solution was supposed to be.
Just looked at the problem and reached for what the OS already provides.
Sometimes not knowing the established approach means you find a
different one.
If there's a flaw, I genuinely want to know.
Stars, issues, and brutal feedback all welcome.
Top comments (0)