| ▲ | kernc 15 hours ago |
| Since everyone tends to present their own solution, I bid you mine: sandbox-run npx @anthropic-ai/claude-code
This runs npx (...) transparently inside a Bubblewrap sandbox, exposing only the $PWD. Contrary to many other solutions, it is a few lines of pure POSIX shell.https://github.com/sandbox-utils/sandbox-run |
|
| ▲ | corv 15 hours ago | parent [-] |
| I like the bubblewrap approach, it just happens to be Linux-only unfortunately. And once privileges are dropped for a process it doesn't appear to be possible to reinstate them. |
| |
| ▲ | kernc 14 hours ago | parent [-] | | > Linux-only What other dev OSs are there? > once privileges are dropped [...] it doesn't appear to be possible to reinstate them I don't understand. If unprivileged code could easily re-elevate itself, privilege dropping would be meaningless ...
If you need to communicate with the outside, you can do so via sockets (such as the bind-mounted X11 socket in one of the readme Examples). | | |
| ▲ | corv 14 hours ago | parent [-] | | I happen to use a Mac, even when targeting Linux so I'd have to use a container or VM anyways. It's nice how lightweight bubblewrap would be however. Consider one wanted to replicate the human-approval workflow that most agent harnesses offer. It's not obvious to me how that could be accomplished by dropping privileges without an escape hatch. | | |
| ▲ | kernc 14 hours ago | parent [-] | | It being deprecated and all, didn't feel like wrapping it, but macOS supposedly has a similar `sandbox-exec` command ... | | |
| ▲ | nowahe 13 hours ago | parent [-] | | IIRC from a comment in another thread, it's marked as deprecated to stop people from using it directly and to use the offical macOS tools directly. But it's still used internally by macOS. And I think that what CC's /sandbox uses on a Mac |
|
|
|
|
