Kristóf Tóth
12644ae31e
Derived from Podman's default profile, stripped of capability-conditional rules (we never grant capabilities), argument filters, and the explicit EPERM block. Dangerous syscalls (mount, unshare, ptrace, bpf, perf_event_open, io_uring_*, keyctl, kexec_*, ...) fall through to the default ENOSYS action, which also keeps glibc's clone3 -> clone fallback working. x86_64 and aarch64 are supported; other archs error out. Toggle with --seccomp / --no-seccomp or seccomp = <bool> in config.
agent-sandbox
Sandbox agentic coding assistants with bubblewrap. Limits what an AI agent can see and modify on the host, reducing the blast radius of prompt injection and accidental damage.
Modes
Whitelist
Tight sandbox for normal agent coding tasks. Only explicitly listed paths are visible — system binaries, libraries, a subset of /etc, /sys (all read-only), synthetic /dev, private /proc, /tmp, /run, and the working directory (read-write). Everything else is invisible.
Blacklist
Looser sandbox for system-level debugging with agent assistance. The host filesystem is mounted read-only, with targeted overlays hiding sensitive paths (credentials, history, secrets, sockets, input devices). /run and ${XDG_RUNTIME_DIR} are replaced with tmpfs mounts that only expose the paths needed for system tooling (systemctl, resolvectl, journalctl, etc.).
The threat model is prompt injection and accidental damage, not a determined attacker with user-level access.
Not protected in blacklist mode: arbitrary readable files outside the sensitive paths list, and D-Bus method calls (access control is daemon-side).
Seccomp
Both modes apply a seccomp-BPF syscall allowlist derived from Podman's default profile. Dangerous syscalls (mount, unshare, ptrace, bpf, perf_event_open, io_uring_*, keyctl, kexec_*, …) return ENOSYS. Disable with --no-seccomp or seccomp = false in the config file.
Configuration file
Settings can be stored in a TOML config file at $XDG_CONFIG_HOME/agent-sandbox/config.toml (or pass --config <path>). Use --no-config to skip loading it. The config file accepts the same options as the corresponding CLI flags.
Top-level keys set defaults; [profile.<name>] sections define named presets selectable with --profile <name>. CLI flags always take highest precedence, followed by the active profile, then top-level defaults.
# Global defaults
whitelist = true
unshare-net = true
ro = ["~/.aws"]
# Named profile
[profile.docker]
blacklist = true
rw = ["/var/run/docker.sock"]
command = ["claude", "--dangerously-skip-permissions"]
Escape hatches
When the agent needs access to something the sandbox blocks, use --rw or --ro:
agent-sandbox --rw /var/run/docker.sock -- claude --dangerously-skip-permissions
agent-sandbox --ro ~/.aws -- claude --dangerously-skip-permissions