by: bigwheels

I use Leash [1] [2] for sandboxing my agents (to great effect!). I&#x27;ve been very happy with it, it provides much strict policy-level control for both process-level + network-level activity, as well as full visibility with a nice UI and dynamic runtime controls via WebUI. Way better than bubblewrap imo.<p>I originally saw it here on HN and have been hooked ever since.<p>[1] Screenshot: <a href="https:&#x2F;&#x2F;camo.githubusercontent.com&#x2F;99b9e199ffb820c27c4e977f2cf388538e1f144c7d1a05c96823c81bcba2b8ca&#x2F;68747470733a2f2f6c656173682e7374726f6e67646d2e61692f6d656469612f6c656173682d636c69702e676966" rel="nofollow">https:&#x2F;&#x2F;camo.githubusercontent.com&#x2F;99b9e199ffb820c27c4e977f2...</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;strongdm&#x2F;leash" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;strongdm&#x2F;leash</a><p>Fun fact: Do you know what container &#x2F; sandboxing system is in most widespread use? Not docker containers, certainly not bubblewrap, and not even full VMs or firecracker. It&#x27;s Chrome tabs.

2/3/2026, 9:14:12 PM

by: enum

I just have an unprivileged secondary local account and do ssh dummy@localhost.<p>Is this wrong?

2/3/2026, 10:40:32 PM

by: sylvinus

This is the way to go! On my side I&#x27;ve build a very small `claude-vm` wrapper to run each instance in a VM with Lima: <a href="https:&#x2F;&#x2F;github.com&#x2F;sylvinus&#x2F;agent-vm" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;sylvinus&#x2F;agent-vm</a>

2/3/2026, 10:04:08 PM

by:

2/3/2026, 9:12:38 PM

by: aflag

I don&#x27;t know if I want to create an ad-hoc list of permissions. What I would like would be something like take a snapshot of my current workspace in a VM. Run claude there and let it go wild. After the end of the session, kill the box. The only downside is potentially syncing the claude sessions&#x2F;projects. But I don&#x27;t think that&#x27;d be too difficult.

2/3/2026, 8:24:10 PM

by: ATechGuy

I will ask what I&#x27;ve asked before: how to know what resources to make available to agents and what policies to enforce? The agent behavior is not predefined; it may need access to a number of files &amp; web domains.<p>For example, you said: &gt; I don&#x27;t expose entire &#x2F;etc, just the bare minimum How is &quot;bare minimum&quot; defined?<p>&gt; Inspecting the log you can spot which files are needed and bind them as needed. This requires manual inspection.

2/3/2026, 8:05:50 PM

by: aktuel

I like this approach for Nix: <a href="https:&#x2F;&#x2F;dev.to&#x2F;andersonjoseph&#x2F;how-i-run-llm-agents-in-a-secure-nix-sandbox-1899" rel="nofollow">https:&#x2F;&#x2F;dev.to&#x2F;andersonjoseph&#x2F;how-i-run-llm-agents-in-a-secu...</a> It makes it also easy to give the agent only access to the tools it actually needs.

2/3/2026, 8:22:54 PM

by: kernc

As a heads up and affirmation that the approach is correct, here&#x27;s a small shell bubblewrap wrapper that boils the command line down to `sandbox-run claude --dangerously-skip-permissions`.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;sandbox-utils&#x2F;sandbox-run" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;sandbox-utils&#x2F;sandbox-run</a>

2/3/2026, 8:06:11 PM

by: athrowaway3z

I&#x27;m launching a SaaS to create yet another solution to the AI Sandboxing problem in linux.<p>My friends and I have spent a lot of time quietly injecting support down into the kernel without anybody raising a flag, and we finally have the infrastructure in place to solve this problem.<p>We have also poisoned all the LLMs training data with our approach, so our marketing is primed and we wont even need to learn Claude to use our tool.<p>We’re planning a soft launch this month, or maybe next month. Depending on how &quot;in the vibe&quot; (our new word for flow :) our team gets.<p>We’re calling it `useradd`.<p>Yes, the man page is intimidating, and the documentation is terrible. But once you&#x27;re over the learning curve, it puts your machine into a kind of &#x27;main frame&#x27; mode where multiple &#x27;virtual teletypes&#x27; and users can operate on the same machine.<p>DM me if you want a beta key.<p>---<p>Sorry for the snark, but i cringe at the monuments to complexity I see people building, at least this solution is relative simple and free. Still, dont really see what it buys me.

2/3/2026, 8:00:57 PM

by: charcircuit

If you have ssh installed, with network access it can ssh localhost to escape the sandbox.

2/3/2026, 8:52:55 PM

by: muggesmuds

Would love this for MacOS

2/3/2026, 8:23:51 PM

by: Jayakumark

Saw something last week using bubblewrap as well in hn github.com&#x2F;Use-Tusk&#x2F;fence

2/3/2026, 9:04:34 PM

by: jauntywundrkind

Really well targeted!<p>I&#x27;d been thinking of using toolbox or devcontainers going forward, but having to craft containers with all my stuff sounds so painful, feels like it would become another full-time job to make containers<p>Bubblewrap &amp; passing in a bunch of the current system sounds like a great compromise!<p>I do wonder what isolation something like systemd-run can offer, if that is enough.<p>Part #2 to me, I also want observability as to what the agent changed. That was one place where containers are such a clear &amp; huge advantage! Having an overlay that contains the changes to the filesystem is so explicit. There&#x27;s also works like agentfs, that offer a FUSE filesystem backed by Turso DB (sqlite compatible).

2/3/2026, 7:59:19 PM

by: longtermop

[dead]

2/3/2026, 8:39:28 PM