Summary
The sandbox user has ulimit -u unlimited, meaning there is no protection against fork bombs or process exhaustion attacks. A prompt-injected agent could DoS the host by spawning processes until the system runs out of resources.
Reproduction
$ ulimit -u
unlimited
$ ulimit -n
1024
File descriptor limit is set (1024) but process limit is unbounded.
Impact
A simple :(){ :|:& };: or while true; do sleep 1 & done from inside the sandbox would exhaust host PID space and potentially crash the entire system, including the OpenShell gateway and other sandboxes.
Recommendation
Set a reasonable process limit via the container runtime (e.g. --pids-limit 256 in Docker, or a pids cgroup limit). This is a one-line fix in the sandbox container spec.
Environment
- openshell 0.0.14
- Base sandbox image:
ghcr.io/nvidia/openshell-community/sandboxes/base:latest
- DGX Spark (aarch64)
Summary
The sandbox user has
ulimit -u unlimited, meaning there is no protection against fork bombs or process exhaustion attacks. A prompt-injected agent could DoS the host by spawning processes until the system runs out of resources.Reproduction
File descriptor limit is set (1024) but process limit is unbounded.
Impact
A simple
:(){ :|:& };:orwhile true; do sleep 1 & donefrom inside the sandbox would exhaust host PID space and potentially crash the entire system, including the OpenShell gateway and other sandboxes.Recommendation
Set a reasonable process limit via the container runtime (e.g.
--pids-limit 256in Docker, or apidscgroup limit). This is a one-line fix in the sandbox container spec.Environment
ghcr.io/nvidia/openshell-community/sandboxes/base:latest