This work addresses the security risks posed by AI agents frequently executing untrusted code on developer machines, where existing isolation mechanisms suffer from limitations in privilege requirements, performance overhead, and granularity of control. The authors propose a privilege-free, fine-grained process sandboxing architecture that compiles static security policies into kernel-enforced rules using Linux primitives such as seccomp and namespaces, while delegating dynamic decisions to a lightweight userspace supervisor. This approach enables rootless enforcement over filesystem, network, IPC, and system call access, supports time-of-check-to-time-of-use (TOCTOU)-safe validation and reversible file operations, and avoids dependencies on containers, cgroups, or images. Experimental results demonstrate a startup overhead of only ~5 ms, Redis performance matching bare-metal levels, and stage-based isolation of data, network, and untrusted content.

AI agents increasingly run untrusted code on developer machines: shell commands generated by language models, third-party scripts retrieved at runtime, and tool plugins of unknown provenance. Existing isolation mechanisms impose tradeoffs that fit this workload poorly: containers and microVMs add privilege, image-management, and startup costs, while ad-hoc process controls and wrappers (e.g. chroot, ulimit) provide weak guarantees and little syscall-level control. Sandlock is a lightweight Linux process sandbox organized around a simple split: static, input-independent policy is compiled into kernel-enforced rules, while a narrow supervisor handles runtime-dependent decisions and virtualized effects. This split lets Sandlock enforce filesystem, network, IPC, and syscall policies without root, cgroups, images, or mandatory namespaces. It also supports dynamic network decisions, HTTP-level access control, TOCTOU-safe inspection of execve arguments, and reversible filesystem effects. On our workstation, Sandlock adds roughly 5 ms of startup overhead and runs Redis at bare-metal throughput (within measurement noise); its pipeline operator further supports per-stage confinement for separating data, network, and untrusted-content capabilities. Sandlock is available at https://github.com/multikernel/sandlock