Kristóf Tóth
f1d7a14b8d
Whitelist mode's implicit bwrap root was a writable tmpfs, letting the sandboxed process create files and directories anywhere not covered by an explicit ro mount. This was not an issue in blacklist mode due to --ro-bind / / covering that case. This patch adds --remount-ro / before any other mount to make the base layer read-only in both modes.
agent-sandbox
Sandbox agentic coding assistants with bubblewrap. Limits what an AI agent can see and modify on the host, reducing the blast radius of prompt injection and accidental damage.
Modes
Whitelist
Tight sandbox for normal agent coding tasks. Only explicitly listed paths are visible — system binaries, libraries, a subset of /etc, /sys (all read-only), synthetic /dev, private /proc, /tmp, /run, and the working directory (read-write). Everything else is invisible.
Blacklist
Looser sandbox for system-level debugging with agent assistance. The host filesystem is mounted read-only, with targeted overlays hiding sensitive paths (credentials, history, secrets, sockets, input devices). /run and ${XDG_RUNTIME_DIR} are replaced with tmpfs mounts that only expose the paths needed for system tooling (systemctl, resolvectl, journalctl, etc.).
The threat model is prompt injection and accidental damage, not a determined attacker with user-level access.
Not protected in blacklist mode: arbitrary readable files outside the sensitive paths list, and D-Bus method calls (access control is daemon-side).
Escape hatches
When the agent needs access to something the sandbox blocks, use --rw or --ro:
agent-sandbox --rw /var/run/docker.sock -- claude --dangerously-skip-permissions
agent-sandbox --ro ~/.aws -- claude --dangerously-skip-permissions