Skip to content

[Security] SIGKILL analog needs real process-level isolation #77

New issue
New issue
Closed
#90
Closed
[Security] SIGKILL analog needs real process-level isolation#77
#90
Labels
enhancementNew feature or requestsecuritySecurity-related issues
@imran-siddique

Description

@imran-siddique
imran-siddique
opened on Mar 7, 2026

Problem

The AgentSignal.SIGKILL in signals.py is a Python IntEnum value. In real Linux, SIGKILL is non-catchable because the OS scheduler handles it. In Python, everything is catchable with except BaseException. Any agent wrapping its work in a try/except block can swallow the termination signal.

Proposed Solution

  • Run agents in separate processes via subprocess.Popen or multiprocessing.Process
  • Use os.kill(pid, signal.SIGKILL) for real non-catchable termination
  • Keep current in-process AgentSignal as the cooperative path (SIGTERM equivalent)
  • Add container-boundary isolation option for high-risk agents

Impact

Critical gap - current implementation gives false confidence that termination is enforceable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity-related issues

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions