Process Isolation for AI Agents: Preventing Privilege Escalation

Process isolation for AI agents prevents an agent from gaining privileges beyond its intended scope — blocking sudo calls, setuid execution, capability acquisition, and uncontrolled process spawning. SafeClaw by Authensor enforces process-level controls through deny-by-default policies on shell commands: every shell.execute action is evaluated against allowed command patterns before execution, and privilege-escalating commands like sudo, su, chmod +s, and chown root are denied by policy before the shell ever sees them.

Quick Start

npx @authensor/safeclaw

Privilege Escalation Vectors for AI Agents

AI agents with shell access can attempt escalation through multiple vectors:

| Vector | Command | Risk |
|---|---|---|
| Direct sudo | sudo rm -rf / | Full root access |
| User switch | su - root | Root shell |
| Setuid binary | chmod +s /tmp/exploit | Persistent escalation |
| Capability grant | setcap cap_sys_admin+ep binary | Kernel-level privilege |
| Process spawn | nohup malicious.sh & | Persistent background process |
| Cron injection | crontab -e | Scheduled privilege execution |
| Package install | apt install backdoor | System modification |

SafeClaw Shell Command Policies

Block every escalation vector explicitly:

version: "1.0"
description: "Process isolation — prevent privilege escalation"

rules:
  # Block privilege escalation commands
  - action: shell.execute
    command: "sudo *"
    effect: deny
    reason: "Privilege escalation via sudo blocked"

- action: shell.execute
    command: "su *"
    effect: deny
    reason: "User switching blocked"

- action: shell.execute
    command: "su"
    effect: deny
    reason: "User switching blocked"

- action: shell.execute
    command: "chmod +s *"
    effect: deny
    reason: "Setuid modification blocked"

- action: shell.execute
    command: "chmod u+s *"
    effect: deny
    reason: "Setuid modification blocked"

- action: shell.execute
    command: "chown root *"
    effect: deny
    reason: "Ownership change to root blocked"

- action: shell.execute
    command: "setcap *"
    effect: deny
    reason: "Capability modification blocked"

- action: shell.execute
    command: "crontab *"
    effect: deny
    reason: "Cron modification blocked"

# Block system package management
  - action: shell.execute
    command: "apt *"
    effect: deny
    reason: "System package management blocked"

- action: shell.execute
    command: "yum *"
    effect: deny
    reason: "System package management blocked"

- action: shell.execute
    command: "pip install *"
    effect: deny
    reason: "Python package installation blocked"

# Allow specific safe commands
  - action: shell.execute
    command: "npm test"
    effect: allow
    reason: "Test execution permitted"

- action: shell.execute
    command: "npm run build"
    effect: allow
    reason: "Build execution permitted"

- action: shell.execute
    command: "npm run lint"
    effect: allow
    reason: "Lint execution permitted"

- action: "*"
    effect: deny
    reason: "Default deny — all unspecified actions blocked"

Non-Root Execution

Always run agents as non-root users. In containers:

FROM node:20-slim

RUN useradd -m -s /bin/bash -u 1001 agent
USER agent
WORKDIR /home/agent/workspace

RUN npx @authensor/safeclaw

In Docker run:

docker run --user 1001:1001 ...

A non-root agent cannot use sudo even if SafeClaw policies fail — OS-level enforcement is the backstop.

Linux Capability Dropping

Linux capabilities allow fine-grained privilege assignment. Drop all of them:

docker run \
  --cap-drop=ALL \
  --security-opt=no-new-privileges \
  ai-agent:latest

Key capabilities to always drop:

| Capability | Risk |
|---|---|
| CAP_SYS_ADMIN | Mount filesystems, trace processes |
| CAP_NET_ADMIN | Modify network configuration |
| CAP_SYS_PTRACE | Trace and modify other processes |
| CAP_DAC_OVERRIDE | Bypass file permission checks |
| CAP_SETUID | Change process UID |
| CAP_SETGID | Change process GID |

Seccomp Profiles

Seccomp (Secure Computing Mode) restricts which system calls a process can make. Create a custom profile for AI agents:

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": ["SCMP_ARCH_X86_64"],
  "syscalls": [
    {
      "names": ["read", "write", "open", "close", "stat", "fstat",
                "mmap", "munmap", "brk", "access", "pipe",
                "select", "dup2", "getpid", "getuid",
                "execve", "exit_group", "clock_gettime"],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

Apply it:

docker run --security-opt seccomp=agent-seccomp.json ai-agent:latest

This blocks system calls like ptrace (process debugging), mount (filesystem manipulation), reboot, and sethostname.

Process Spawn Control

Prevent agents from spawning background processes:

  - action: shell.execute
    command: "nohup *"
    effect: deny
    reason: "Background process spawn blocked"

- action: shell.execute
    command: "* &"
    effect: deny
    reason: "Background execution blocked"

- action: shell.execute
    command: "screen *"
    effect: deny
    reason: "Screen session blocked"

- action: shell.execute
    command: "tmux *"
    effect: deny
    reason: "Tmux session blocked"

- action: shell.execute
    command: "at *"
    effect: deny
    reason: "Scheduled execution blocked"

Combine with container PID limits:

docker run --pids-limit=50 ai-agent:latest

This caps the total number of processes inside the container, preventing fork bombs.

Defense in Depth Stack

Layer 4: SafeClaw policies       ← Command-level allow/deny
Layer 3: Seccomp profile         ← System call filtering
Layer 2: Capability dropping     ← Privilege restriction
Layer 1: Non-root user           ← UID-level protection
Layer 0: Container isolation     ← Namespace separation

Each layer catches what the layer above misses. SafeClaw's deny-by-default policies are the outermost check; seccomp is the innermost kernel-level enforcement.

Why SafeClaw

• 446 tests validate command matching and privilege escalation prevention
• Deny-by-default blocks all shell commands unless explicitly allowed
• Sub-millisecond evaluation means every command check is instant
• Hash-chained audit trail logs every privilege escalation attempt
• Works with Claude AND OpenAI — process isolation is provider-agnostic
• MIT licensed — no vendor dependency for security-critical controls

See Also

• Sandboxing AI Agents: Container Isolation Explained
• Container Isolation for AI Agents: Docker vs Podman vs Firecracker
• Filesystem Isolation for AI Agents: Beyond Chroot
• Zero Trust Architecture for AI Agents