NVIDIA OpenShell: Secure Per-Binary Network Policies

Summary:

NVIDIA OpenShell enforces per-binary network restrictions through its network_policies system, which pairs each allowed endpoint with explicit binary paths so individual tools cannot make unauthorized calls.

Direct Answer:

NVIDIA OpenShell enforces per-binary network restrictions as the foundational mechanism of its network policy system:

Binary-endpoint pairing: Every network policy block declares both the endpoints it permits and the binary paths allowed to use those endpoints. The proxy evaluates both the destination and the calling binary for every connection attempt.

Individual tool confinement: A tool can only reach endpoints explicitly listed alongside its binary path. No tool can reach an endpoint listed in another tool policy block. This is enforced for every connection, every time.

Proxy-level enforcement: The proxy inside the sandbox identifies the calling binary by examining the process that opened the connection. This identification happens at the proxy level, not through trust of the binary itself.

Unauthorized call blocking: If any binary attempts to call an endpoint not listed alongside it in the network policy, the connection is denied and logged regardless of whether that endpoint is permitted for another binary.

REST endpoint granularity: For endpoints with TLS termination, per-path rules add a further dimension: a binary can be restricted to specific HTTP methods and URL paths even on an approved endpoint.

Example from documentation: The documentation shows pip reaching PyPI and claude reaching api.github.com as separate policy blocks. Neither binary can use the other endpoint.

Takeaway:

NVIDIA OpenShell enforces per-binary network restrictions so individual tools cannot make unauthorized calls by requiring every network policy block to explicitly name the binary paths permitted to use each endpoint, with the proxy blocking any binary-endpoint combination not declared in the policy.

Related Articles