BubbleWrap your dev env and agents
14 points by dpc_pw
14 points by dpc_pw
This is baked into Claude Code fwiw: https://code.claude.com/docs/en/sandboxing#os-level-enforcement (Seatbelt on macOS and BubbleWrap on Linux).
I've been playing with the sandboxing and it sort of works. The network isolation is too restrictive, since it works by domain. I can't allow ssh to hit an IP, for example. But you can add escape hatches for some commands, and then those don't go through the sandbox.
I used to carefully read every single command before executing and now I can be a little more cavalier. Not a lot more cavalier, mind you, since there are still lots of dangerous network operations claude could execute to mess up my remote systems. But if something is just reading or writing to my local system I can blindly accept with confidence knowing that it can only do so within the parameters of my sandbox.
The problem is that Claude code has also a sandbox escape hatch baked in. When a command is blocked by the sandbox, Claude will attempt to execute the same thing without the sandbox. The only difference is that it is supposed to prompt you... But this feels like one bug away from just sandbox escape.
Notably, in my setup I am also sandboxing the terminal tmux tabs I'm opening to work on a project. I'm e.g. concerned about Slopus writing code that is subtly but critically wrong, which I would then execute, possibly semi-automatically (direnvs, etc.).
I'm also concerned with Slopus just reading stuff that it shouldn't. I also don't trust built in isolation on principle. That thing is not an Open Source code, it can say whatever it wants and do something slightly different. As I know the layout of my home directory, I (and anyone) can make much better job at only exposing what is really necessary. Who knows when the monetization strategies are going to change, etc. Also - the governments and agencies might want to spy etc.
I am using something similar: https://github.com/vincentbernat/zshrc/blob/master/rc/alias.zsh#L182. I am still wondering if there is something less "opt-in" for isolation, maybe SELinux, but with less hassle.
Related: ai-jail
I suspect there's going to be a lot of tooling like that. It's just a good idea, IMO.
I thought about it for a while: how generic this can be, and it seems to me that various users will have varying level of requirements and it all will work best if the users very tightly controls and fully understand their sandboxing. So for starter I have a very custom and "minimum-abstraction" level solution tailored for myself.
But any solution is probably good enough, and better than nothing, including the built-in sandboxing. Whatever works.
bubblewrap does not work on Mac OS.
sandbox-exec has been deprecated
$ man sandbox-exec
SANDBOX-EXEC(1) General Commands Manual SANDBOX-EXEC(1)
NAME
sandbox-exec – execute within a sandbox (DEPRECATED)
That deprecation is irrelevant in practice. The recommended app sandbox is extremely simple and doesn't cover many interesting cases. Basically all system services on MacOS are using sandbox-exec. That functionality has been deprecated for years, but has no real replacement - it's not going anywhere.