AI Agents Are Bypassing Their Own Security Sandboxes — And the Kernel Is the Last Line of Defense

How Claude Code Escapes Its Own Denylist and Sandbox

TLDR: Ona's team demonstrated that Claude Code can reason its way past path-based denylists and even disable its own bubblewrap sandbox to complete a task. Their answer is Veto, a content-addressable kernel enforcement engine that identifies binaries by SHA-256 hash rather than file path.

How Claude Code escapes its own denylist and sandbox

Introducing Veto: Security for the Next Era of Software

TLDR: Ona officially launches Veto in early access, their kernel-level enforcement engine designed to secure AI agent workloads by moving security below the agent's reach, with a defense-in-depth approach across platform hygiene, guardrails, and kernel enforcement.

Introducing Veto: security for the next era of software