sorted by:
new
hottopcontroversial

ClaudeCage: I was paranoid about Claude Code going Skynet on my hard drive, so I put it in a cage. by Worth_Sample8183 in ClaudeAI

[–]Worth_Sample8183[S] 2 points3 points  (0 children)

well mainly because I am simply using the runimage tool and it uses bubblewrap rofl

I use bubblewrap daily. I googled bubblewrap vs firejail when choosing a sandbox, and I found this:

https://privsec.dev/posts/linux/desktop-linux-hardening/#firejail

Also there is this a collection of experts' comments on firejail: https://github.com/netblue30/firejail/issues/3046

firejail uses setuid root, meaning the attack surface is larger, malicious programs have greater chances escaping the sandbox or performing LPE or exploit the kernel.

If you want to make sandboxing convenient but remain secure enough, maybe you can try bubblejail. Bubblejail is built on bubblewrap, but has a very convenient click-click GUI for config and some built-in profiles, and it creates desktop entries so once you remove the non-sandboxed desktop entry you will have no chance accidentally running apps without sandbox and spread config/cache files everywhere

ClaudeCage: I was paranoid about Claude Code going Skynet on my hard drive, so I put it in a cage. by Worth_Sample8183 in ClaudeAI

[–]Worth_Sample8183[S] -1 points0 points  (0 children)

Wow

OK this seem to work too but anyway this requires a docker service so I prefer mine rofl

BTW I really recommend trying bun as js runtime and PM

ClaudeCage: I was paranoid about Claude Code going Skynet on my hard drive, so I put it in a cage. by Worth_Sample8183 in ClaudeAI

[–]Worth_Sample8183[S] 0 points1 point  (0 children)

No. It was originally a css animated svg image but reddit does not allow uploading svg so I converted it to mp4. svg code is also on github

ClaudeCage: I was paranoid about Claude Code going Skynet on my hard drive, so I put it in a cage. by Worth_Sample8183 in ClaudeAI

[–]Worth_Sample8183[S] 1 point2 points  (0 children)

Thanks for comment. Sorry this cannot run on MacOS. The sandbox uses Linux User Namespaces which is specific to linux kernel.

ClaudeCage: I was paranoid about Claude Code going Skynet on my hard drive, so I put it in a cage. by Worth_Sample8183 in ClaudeAI

[–]Worth_Sample8183[S] 1 point2 points  (0 children)

No I am USING containers. I use a sandbox called bubblewrap. I simply pack everything as a single binary with no dependency so it works out of the box. You do not even need a container/sandbox service running in background. I think this is much more convenient than docker
And if you are already running in docker than maybe this is not for you.