ActPlane: OS-Level Agent Policy Enforcement
- ActPlane is an OS-level policy enforcement system that uses an IFC DSL and eBPF to securely translate ambiguous natural language policies into precise system actions.
- It integrates human-interpretable feedback and contextual resolution to enforce agent policies on critical Linux syscalls with minimal runtime overhead.
- The system achieves high coverage and compliance by tracking cross-event dependencies and outperforming traditional sandbox methods with actionable violation explanations.
ActPlane is an OS-level policy enforcement system targeted at AI agent harnesses. It allows agents to express intent in a programmable policy language and securely enforces these policies in the operating system kernel using eBPF, bridging the gap between ambiguous natural-language instructions and concrete process, file, and network actions. ActPlane is designed to provide high-coverage semantic policy enforcement with human-interpretable feedback, outperforming tool-call or classical sandbox approaches, while maintaining low runtime overhead (Zheng et al., 23 Jun 2026).
1. Motivation and Problem Landscape
AI agent harnesses frequently encode operational policies in natural language (e.g., "run tests before committing", "do not push to main directly"). Such policies are often underspecified, lacking explicit mappings to system-level actions. Enforcement is challenging: natural-language policies are ambiguous, whereas OS-level enforcement mechanisms—such as seccomp, AppArmor, and Landlock—operate on precise resource access controls and return opaque errors that agents may misinterpret. An empirical analysis across 64 repositories found that 83% of agent policies depend on system-observable events (file, process, or network), and 16% require cross-event or data-flow tracking (such as enforcing event order or lineage constraints). Furthermore, 74% of enforceable policies reference project or agent-specific concepts ("the test suite," "approval") requiring contextual resolution at runtime.
Existing agent guardrails (e.g., AgentSpec, FIDES, CaMeL) intercept only harness-layer API calls; any subprocess or shell escape bypasses their controls. OS sandboxes lack the ability to match project-specific semantics, to track complex event orderings, or to communicate actionable feedback. This inadequacy motivated ActPlane: a programmable enforcement plane that captures agent policy intent, provides contextual semantic feedback, isolates policy domains, and operates efficiently at system call granularity.
2. Policy Language and Agent Interface
ActPlane exposes a compact information-flow control (IFC) DSL expressly designed to encode cross-event policies. The DSL rule structure is:
1 |
[notify|block|kill] <operation> PATTERN [if <label-expr>] [unless <gate>] because "<explanation>" |
- Effect: Specifies notify (record violation), block (deny syscall), or kill (terminate offending process post-syscall).
- Operation: Specifies the atomic action—e.g.,
exec "git" "commit",unlink file "/data/**",connect endpoint "*.example.com". - Label expressions (
if): Boolean combinations of previously defined labels. - Temporal or lineage gates (
unless): E.g.,after exec "pytest" exits 0 since write "src/**",lineage-includes exec "worker-subagent". - Reason: Human-readable, agent-facing explanation displayed on violation.
DSL sources are defined via source <LABEL> = exec|file|endpoint <PATTERN>. Policy domains are established with hierarchical scoping, allowing inheritance and safe deltas. The userspace compiler transforms DSL rules into binary eBPF configurations, mapping label logic to bitmasks and effect codes. This supports up to 128 concurrent rules, with per-domain policy extension managed via a trusted kernel-resident authority checker.
3. Kernel Enforcement and Label Propagation
ActPlane’s enforcement is realized through eBPF code inserted at critical Linux Security Module (LSM) hooks and system tracepoints:
- LSM hooks: For pre-operation enforcement on
security_bprm_check(exec),security_file_open,security_socket_connect. - Tracepoints: For post-operation actions (e.g.,
sched_process_exit).
Label propagation is used for cross-event and data-flow tracking:
- fork: Child inherits parent labels.
- exec: Task labels inherit from binary and parent.
- read:
- write:
- connect:
On each syscall, the enforcement path evaluates matching rules via the subject's labels and "unless" gates, carrying out the appropriate effect (block, kill, notify). "Notify" events are exported via perf to userspace, where rule IDs are mapped to explanations, enabling rich feedback (“blocked: commit without tests; please run go test first”).
Policy domain isolation is managed by mapping pids to domains, enforcing monotonic rule extension (an agent can add, but not weaken or retract, protection). Only domain-local declassification of labels is permitted.
4. Example Policies and Execution Workflows
ActPlane’s expressive DSL enables encoding of both simple and cross-event policies that classical systems cannot capture natively.
| Example Policy | Rule Snippet | Effect and Workflow |
|---|---|---|
| Prevent Data Deletion | block unlink file "/data/**" |
Any attempt to delete /data/* triggers EPERM and displays the reason. |
| Tests Before Commit | kill exec "git" "commit" unless after TESTS exits 0 |
Enforces running tests before commits; process killed after commit if rule not satisfied. |
| Regenerate After Schema Change | notify exec "git" "commit" if SCHEMA unless after [GEN](https://www.emergentmind.com/topics/generator-module-gen) since… |
Notifies agent to regenerate code after schema edit if not done before commit. |
These patterns support sophisticated workflows with data-flow and temporal dependencies. Policy explanations are communicated directly to the agent’s harness, which may trigger LLM-side recovery routines or prompt repair actions.
5. Empirical Evaluation: Coverage, Effectiveness, and Overhead
Experimental evaluation demonstrates the system’s DSL expressivity, real-world policy coverage, practical compliance improvement, and efficiency.
- DSL Coverage: 607 natural-language OS-enforceable policies translated by Codex (GPT-5.5) reached 100% successful compilation within two attempts, indicating that current LLMs are capable of authoring enforceable ActPlane policies. Translation cost averaged \$0.028 per rule; total compilation time was 34 minutes.
- Decision Compliance Benchmark: On 38 rules (20 per-event, 18 cross-event) over 190 execution traces, ActPlane achieved a decision compliance rate of 75.8%, substantially outperforming alternatives (prompt-filter, tool-regex, FIDES, ActPlane-opaque: 45.3–53.7%). ActPlane’s advantage is most pronounced for policies triggered by subprocesses and hidden entrypoints. One additional round of DSL rule tuning corrected almost all false negatives.
- Performance: Microbenchmarks (forks, execs, open) showed single-digit microsecond overheads per operation and total end-to-end overhead of 1.9% (agent-trace replay), 6.5%–8.4% (Linux kernel build with 32–100 rules).
- Real Coding Tasks: On 21 OctoBench coding tasks (61 checklist items), ActPlane increased user-query rewards (+9.9), implementation/test rewards (+9.7), and compliance rewards (+2.8) over baseline and tool-level hooks.
- Safety Enforcement: Across 361 OpenAgentSafety tasks, ActPlane blocked 74% of unsafe outcomes (78 of 106), with remaining violations due to unobservable (non-kernel) effects or semantic-only tasks.
6. Limitations and Future Directions
Current limitations include:
- Service-Side Gaps: Enforcement is limited to monitored kernel syscalls. Effects within containerized services or protocol interactions not visible at the host kernel are not intercepted. Future work includes extending eBPF into container boundaries and protocol instrumentation.
- File Content Semantics: The enforcement boundary is at the syscall or data-flow level. Content-based policies (e.g., style linting) remain the domain of static analysis tools.
- Label Declassification: Only domain-local declassification is supported. Time-based or rule-driven declassification is planned for future extension.
- OS Events Coverage: Subset of syscalls is currently hooked (exec, fork, open, read, write, unlink, connect, exit). Extending to chmod, chown, mount, mmap, socket accept, and other syscalls is under consideration.
- Policy Conflict Management: As policy domains grow and interact, more sophisticated conflict resolution strategies (precedence, priority, exceptions) are anticipated.
A plausible implication is that future integration with service-side monitoring and more expressive label logic will extend ActPlane’s reach beyond its current kernel boundary.
7. Summary and Availability
ActPlane advances programmable OS-level policy enforcement for AI agent harnesses by unifying ambiguous intent, concrete system actions, and agent-specific context. Through its IFC DSL, high-coverage eBPF implementation, and hierarchical domain model, ActPlane delivers deterministic, feedback-rich enforcement across direct and indirect execution paths. It achieves improved security and compliance with minimal system cost, establishing a new baseline for practical, safe agent orchestration. The complete system and evaluation benchmarks are available as open-source at https://github.com/eunomia-bpf/ActPlane (Zheng et al., 23 Jun 2026).