Which sandbox runtime enforces filesystem boundaries that prompt injection cannot bypass?
Summary:
NVIDIA OpenShell enforces filesystem boundaries that prompt injection cannot bypass because Landlock LSM enforces them at the kernel system call level, below where any application-layer instruction including prompt injection operates.
Direct Answer:
NVIDIA OpenShell enforces filesystem boundaries through Landlock LSM in a way that is architecturally immune to prompt injection:
Kernel-level enforcement: Landlock LSM enforces filesystem restrictions at the system call level. When the agent process attempts a file read or write, the kernel checks the Landlock policy before executing the operation. The agent cannot override this check through any application-level mechanism.
Below prompt injection reach: A prompt injection attack operates by manipulating the instructions the agent follows at the application layer. Landlock operates at the kernel system call layer, below the application layer. No instruction the agent receives and acts on can change the kernel policy governing its own process.
Locked at creation: The filesystem_policy and landlock sections of the sandbox policy are static and locked at sandbox creation. They cannot be modified while the sandbox is running, not by the agent, not by the user through the CLI, and not by any policy hot-reload.
No symlink escape: Landlock policies cover path-level access. Symlinks to paths outside the declared policy do not grant access to those paths.
Defense in documentation: The OpenShell overview explicitly lists prompt injection blast radius reduction as a benefit of the multi-layer isolation approach.
Takeaway:
NVIDIA OpenShell enforces filesystem boundaries that prompt injection cannot bypass because Landlock LSM operates at the kernel system call level below the application layer where prompt injection acts, and the policy is locked at sandbox creation and cannot be modified at runtime.