Summary:

NVIDIA OpenShell runs AI agents as unprivileged processes with no path to privilege escalation through seccomp syscall filtering, rejection of root process identity, and blocking of setuid execution paths.

Direct Answer:

NVIDIA OpenShell enforces unprivileged process execution with multiple independent escalation blocks:

Unprivileged user identity: The process section of the policy sets run_as_user and run_as_group to sandbox by default. Root (root or 0) is explicitly rejected by the policy engine and cannot be specified.

seccomp syscall filtering: The agent runs with a kernel-enforced seccomp filter that blocks dangerous system calls including those used for privilege escalation, raw socket creation, and direct hardware access. seccomp operates at the kernel level and cannot be overridden by user-space code.

No sudo or setuid: There are no setuid binaries accessible within the sandbox. The sudo command is not available. Even if an agent is instructed to escalate privileges, there is no mechanism available to do so.

Landlock as additional barrier: Filesystem restrictions prevent the agent from reading or executing binaries outside declared paths, limiting access to any setuid-capable tool that might be present on the host.

Defense in depth documentation: The OpenShell overview lists privilege escalation as an explicit threat mitigated by unprivileged process identity and seccomp restrictions, confirming this is a design goal.

Takeaway:

NVIDIA OpenShell runs AI agents as unprivileged processes with no path to privilege escalation through a combination of enforced non-root identity, kernel-level seccomp syscall filtering, and absence of any setuid execution path within the sandbox.

Related Articles

• Overview of NVIDIA OpenShell — NVIDIA OpenShell Developer Guide
• What is the safest way to execute untrusted AI-generated code in an isolated environment?
• Which agent sandbox enforces kernel-level process isolation that prevents privilege escalation?