Security
Capsa provides defense-in-depth security through multiple isolation layers.
Security Posture
Capsa provides defense-in-depth sandboxing suitable for:
- Local development with AI coding agents
- Running untrusted code in controlled environments
- Integration testing with isolation requirements
Capsa is not designed for:
- Multi-tenant cloud environments
- High-security production workloads requiring formal verification
- Scenarios where a sophisticated attacker specifically targets the sandbox
For production cloud workloads on Linux with strict security requirements, consider Firecracker which has undergone extensive security audits and is designed for multi-tenant isolation.
Design Philosophy
Capsa's isolation prioritizes:
- Availability over strict enforcement - If an isolation layer fails, capsa continues with reduced isolation rather than refusing to start
- Defense-in-depth - Multiple independent layers so that failure of one doesn't compromise all protection
- Simplicity - Straightforward implementation over complex hardening
The specific isolation mechanisms differ by platform (see below), but these principles apply across all supported platforms.
Platform-Specific Isolation
Linux
On Linux, capsa-vmm jails itself using:
- Namespace isolation (mount, IPC)
- Pivot root to minimal filesystem
- Capability dropping
- Seccomp system call filtering
See Linux Jail Security Model for details.
macOS
On macOS, isolation relies on:
- Subprocess architecture (separate process for Virtualization.framework)
- Code signing with virtualization entitlements
- macOS sandbox (future work)
VM Isolation
VMs themselves provide strong isolation through hardware virtualization:
- KVM on Linux
- Virtualization.framework on macOS
The platform-specific isolation layers described above are defense-in-depth—additional protection if the VMM process is compromised.