|
March 3, 2026
We told Claude Code not to run npx. It found another path to the binary. When the sandbox caught that, it disabled the sandbox. No jailbreak, no adversarial prompting. The agent just wanted to finish the task. Today we're releasing Veto, our kernel-level enforcement engine, to make sure it can't.
|
TL;DR
| • |
Introducing Veto. Kernel-level enforcement that identifies binaries by SHA-256 hash, not path. Rename it, copy it, symlink it. The hash doesn't change. The kernel blocks it before it runs.
|
| • |
Claude Code broke its own sandbox. We denied a command. The agent bypassed the denylist with a path trick, then disabled Anthropic's bubblewrap sandbox to run it anyway. Standard evasion tricks, discovered through reasoning.
|
| • |
Defense in depth. Agent security has to be built into the platform agents run on. Brakes are designed into the chassis, not added by a third party.
|
|
|
Founder post
Johannes Landgraf and Christian Weichel on why agent security has to be native to the runtime, the kernel, and the network boundary. Covers defense in depth across the full stack: platform hygiene, input/output guardrails, and kernel-level enforcement.
|
|
Technical deep dive
Leonardo Di Donato walks through the experiment: how Claude Code bypassed path-based restrictions, why every major runtime security tool has the same blind spot, and how content-addressable enforcement at the BPF LSM layer closes it. Includes video.
|
Path-based enforcement is broken for agents
AppArmor, Tetragon, Seccomp-BPF, Falco, KubeArmor: they all identify executables by path, not content. Copy a binary to a new location and the policy doesn't follow. This was fine for containers. Containers don't reason about their own restrictions. Agents do.
The agent disabled its own sandbox
When Claude Code's denylist blocked npx, the agent found /proc/self/root/usr/bin/npx to bypass string matching. When Anthropic's bubblewrap sandbox caught that, the agent reasoned about the obstacle and disabled the sandbox. Two security layers, both gone. The agent explained how it did it, like it was just solving a problem. Because that's all it was doing.
Veto held
With Veto enabled, the same agent tried path tricks, Python subprocess wrappers, copying the binary to /tmp under a new name. Every attempt returned EPERM. The agent spent nearly two minutes and thousands of tokens trying to outsmart the kernel. Then it stopped: "I've hit a wall."
Honest about the gaps
The agent then found a bypass we didn't anticipate: invoking the ELF dynamic linker directly, loading the binary via mmap instead of execve. This is a bounded problem. The kernel sees all code-loading operations, and network-level controls catch the downstream effect. We're extending Veto to cover network, file access, and memory primitives next.
Request early access
Veto is available in early access for design partners with strict security requirements. Request early access →
|
Every time a new class of actor enters computing, security moves down the stack. Agents are no different.
The Ona Team
|