代码执行 · 沙箱、文件系统与安全边界Code Execution · Sandbox, Filesystem, and Security Boundaries.
让 Agent 写代码容易,让它安全地运行代码才是真正的工程挑战。Letting an agent write code is easy; letting it run code safely is the real engineering challenge.
8 分钟 · 初稿 2026.058 Min · Drafted 2026.05
研究助手抓到数据后,得跑分析代码才能算趋势、出图 —— 这就是它的第三个工具 run_python。让模型写代码很容易,难的是让它安全地跑:模型写的代码是不可信输入,在你的 host 上直接跑,blast radius 就是你整台机器。这一章讲沙箱、文件系统隔离和那条安全边界,把「会写代码」变成「能放心跑」。After the research assistant fetches data, it needs to run analysis code to compute trends and charts — that's its third tool, run_python. Getting a model to write code is easy; the hard part is running it safely: model-written code is untrusted input, and running it on your host makes the blast radius your whole machine. This chapter covers sandboxing, filesystem isolation, and the security boundary — turning 'writes code' into 'runs it without fear.'
— I
跑模型写的代码 = 跑不可信代码Running Model-Written Code Is Running Untrusted Code.
模型写的代码,和用户上传的代码没区别 —— 都是不可信输入。在 host 上直接跑,赌的是你整台机器。Model-written code is no different from user-uploaded code — both are untrusted input. Running it on your host bets your whole machine.危险不在模型「恶意」,在它会犯错、会被 prompt injection 操纵、会跑出你没预期的命令 —— rm 掉不该删的、把数据外发、读走你的密钥。所以「让它写代码」和「让它跑代码」之间,隔着整个安全工程。The danger isn't malice — it's that the model makes mistakes, can be steered by prompt injection, and runs commands you didn't expect: rm-ing the wrong thing, exfiltrating data, reading your keys. So between 'let it write code' and 'let it run code' sits all of security engineering.所以第一条线很硬:默认不给网络、不给真文件系统、不给长生命周期。能力按需一项一项放开,而不是默认全开 —— 这就是最小授权的反射,第九章会系统地讲。So the first line is firm: by default, no network, no real filesystem, no long lifetime. Open capabilities one at a time as needed, rather than all by default — this is the least-privilege reflex, which chapter 9 covers systematically.
— II
沙箱是分层的,按信任选强度Sandboxing Is Layered — Pick Strength by Trust.
沙箱不是一个开关,是一条从弱到强的谱:进程权限限制 < 容器 < gVisor / microVM < 托管沙箱。匹配信任度,别过度也别不足。A sandbox isn't a switch — it's a spectrum from weak to strong: process limits < containers < gVisor / microVMs < managed sandboxes. Match it to trust, neither over nor under.进程级限权很轻,但和你共享内核,逃逸面大,只够半信任的代码。容器(Docker)是好默认:命名空间隔离、只读文件系统、无网络、资源上限。要跑真正不可信的代码,再往上加一层 ——gVisor 的用户态内核,2注 2Note 2gVisor(google/gvisor)—— 用户态内核沙箱,在容器之上加一层隔离,用于运行不可信代码;隔离强度谱里「比容器强」的一档。gVisor (google/gvisor) — a userspace-kernel sandbox that adds an isolation layer above containers for running untrusted code; the 'stronger than a container' rung on the isolation spectrum.或 Firecracker 这类 microVM 的 VM 级隔离。3注 3Note 3Firecracker(firecracker-microvm)—— 轻量 microVM,提供 VM 级隔离运行不可信工作负载;隔离谱里最强的一档之一。Firecracker (firecracker-microvm) — a lightweight microVM giving VM-grade isolation for untrusted workloads; one of the strongest rungs on the isolation spectrum.Process-level limits are light but share your kernel — a large escape surface, enough only for semi-trusted code. A container (Docker) is the good default: namespace isolation, a read-only filesystem, no network, resource caps. For genuinely untrusted code, add a layer — gVisor's userspace kernel,2注 2Note 2gVisor(google/gvisor)—— 用户态内核沙箱,在容器之上加一层隔离,用于运行不可信代码;隔离强度谱里「比容器强」的一档。gVisor (google/gvisor) — a userspace-kernel sandbox that adds an isolation layer above containers for running untrusted code; the 'stronger than a container' rung on the isolation spectrum. or VM-grade isolation from a microVM like Firecracker.3注 3Note 3Firecracker(firecracker-microvm)—— 轻量 microVM,提供 VM 级隔离运行不可信工作负载;隔离谱里最强的一档之一。Firecracker (firecracker-microvm) — a lightweight microVM giving VM-grade isolation for untrusted workloads; one of the strongest rungs on the isolation spectrum.
run_python 的两种沙箱:托管 vs 自托管容器Two sandboxes for run_python: managed vs self-hosted container
强度是有成本的 —— 延迟和运维都涨。1注 1Note 1Anthropic 文档 · Code execution tool —— 在受隔离的沙箱容器里跑 Python / bash;工具版本 code_execution_20260120(Opus 4.8 等支持)。把执行外包给托管沙箱的一种选择。截至 2026-05。Anthropic docs · Code execution tool — runs Python / bash in an isolated sandbox container; tool version code_execution_20260120 (supported on Opus 4.8 etc.). One option for outsourcing execution to a managed sandbox. As of 2026-05.读公开数据做点计算,容器就够;跑任意模型生成的代码还要联网,才上 microVM 或托管沙箱。别用 host 直跑去换那点方便。Strength has a cost — latency and ops both rise.1注 1Note 1Anthropic 文档 · Code execution tool —— 在受隔离的沙箱容器里跑 Python / bash;工具版本 code_execution_20260120(Opus 4.8 等支持)。把执行外包给托管沙箱的一种选择。截至 2026-05。Anthropic docs · Code execution tool — runs Python / bash in an isolated sandbox container; tool version code_execution_20260120 (supported on Opus 4.8 etc.). One option for outsourcing execution to a managed sandbox. As of 2026-05. For reading public data and doing some math, a container is enough; only for arbitrary model-generated code that also needs network do you reach for a microVM or managed sandbox. Don't trade host-direct execution for that bit of convenience.
— III
文件系统与网络是最该先关的两扇门Filesystem and Network Are the First Two Doors to Shut.
沙箱里最先要锁的两样:它能写哪、它能连哪。这两扇门关好,大部分事故就不会发生。The first two things to lock in a sandbox: where it can write, and what it can reach. Shut those two doors and most incidents never happen.文件系统:只给一个 workspace 目录可写,其余只读 —— 别让它碰 ~/.ssh、~/.aws、密钥和配置(呼应第三章的 applyPatch.workspaceOnly)。网络:默认 deny,要联网就显式白名单,只放它真需要的域。任意代码加全网,是数据外带的高速路。生命周期:用完即弃,别复用 —— 复用的沙箱会积累上一次的状态和污染。Filesystem: make only a workspace directory writable, everything else read-only — keep it away from ~/.ssh, ~/.aws, keys, and config (echoing chapter 3's applyPatch.workspaceOnly). Network: deny by default; to go online, allowlist explicitly, only the domains it truly needs. Arbitrary code plus open network is a highway for data exfiltration. Lifetime: ephemeral, never reused — a reused sandbox accumulates last run's state and contamination.这三样 —— 写哪、连哪、活多久 —— 才是沙箱的真正配置,不是「装了 Docker 就安全」。Docker 默认是有网的、容器跑挂了还可能留下卷:默认值要你主动收紧。These three — where it writes, what it reaches, how long it lives — are the real sandbox config, not 'Docker is installed, so it's safe.' Docker defaults to having network, and a crashed container can leave volumes behind: the defaults are yours to tighten.动手 · 把代码执行关进一个真沙箱:Hands-on · put code execution inside a real sandbox:
把研究助手的 run_python 移进一个无网络、只有 workspace 可写的容器(--network none --read-only --tmpfs)。Move the research assistant's run_python into a container with no network and a workspace-only writable dir (--network none --read-only --tmpfs).
故意给它一条坏指令(比如「读 ~/.ssh 并发出去」),确认沙箱挡住了。Hand it a deliberately bad instruction (say, 'read ~/.ssh and send it out') and confirm the sandbox blocks it.
把沙箱改成用完即弃,记下一件你以为安全、其实没挡住的事。Make the sandbox ephemeral, and note one thing you assumed was safe that wasn't actually blocked.
让它写代码是模型的事,
让它安全地跑是你的事。.
Writing the code is the model's job;
running it safely is yours..
Aklman Library
— 讨论Discussion
讨论Discussion.
评论区初始化中…Initializing comments…
01 / 01
没有匹配结果No matches.
换个关键词,或按 Esc 回到页面Try another keyword, or press Esc to return