Is anyone familiar with pre-existing Nix wrappers for isolating Claude Code?
I am thinking of something like running Claude Code inside either a virtual machine with a volume mount, or a systemd-nspawn container, or even just using rstrict, a CLI that provides simple access to Landlock: unprivileged access control.
Ideally I’d like to just start claude in a directory and it should have access to that directory as the root, as well as network access, but possibly network-restricted by a system configuration. So same convenience, but implied security.
A nix-wrapped bubblewrap around claude is exactly what I’m looking for, thanks for helping me with the words and the hyperlinks. I tried the numtide claudebox and unfortunately can’t start it, so I posted a bug report. I expect that this kind of tool is used by a lot of other people, so since the repository updates its flake inputs automatically every night, it might just be a recent regression.
Somehow, it still says:
Not a security boundary - designed for transparency, not isolation.
which is peculiar, since bubblewrap’s readme is quite realistic about the weaknesses of systemd-nspawn, docker, etc. and says it “could be viewed as setuid implementation of a subset of user namespaces” and links to non-trivial insights like User namespaces + overlayfs = root privileges [LWN].
I might be okay with a realistic-but-weak confidence. The more paranoid of my friends actually run Claude inside a VM and don’t mind the extra graphical windowing. I’d like something more transparent and preserve some security assessment, even though it’s with a few gotchas. For example, breaking the container with ANSI escape sequence abuse.