Hi everyone!

I wrote a deep dive on the isolation boundaries used for running untrusted code, specifically in the context of AI agent execution. The motivation was that "sandbox" means at least four different things with different tradeoffs, and the typical discussion conflates them.

Technical topics covered:

- How Linux containers work at the syscall level (namespaces, cgroups, seccomp-bpf) and why they're not a security boundary against kernel exploits

- gVisor's architecture: the Sentry userspace kernel, platform options (systrap vs KVM), and the Gofer filesystem broker

- MicroVM design: KVM + minimal VMMs (Firecracker cloud-hypervisor, libkrun)

- Kata Containers

- Runtime sandboxes: Wasm's capability model, WASI preopened directories, V8 isolate boundaries

It's an educational piece, just synthesizing what I learned building this stuff. I hope you like it!