Foolproof Boundaries vs Unbounded Foolishness

• HN - For lightweight sandboxing on Linux you can use bubblewrap or firejail instead of Docker.

bubblewrap

bubblewrap works by creating a new, completely empty, mount namespace where the root is on a tmpfs that is invisible from the host, and will be automatically cleaned up when the last process exits. You can then use commandline options to construct the root filesystem and process environment and command to run in the namespace.

The level of protection between the sandboxed processes and the host system is entirely determined by the arguments passed to bubblewrap. Some aspects that require special care are noted here.

Example (packaging bubblewrap):

$ sandbox-run npx @anthropic-ai/claude-code

sandbox-run runs npx (…) transparently inside a Bubblewrap sandbox, exposing only the $PWD. Contrary to many other solutions, it is a few lines of pure POSIX shell.

see also

• TinyKVM: Fast sandbox that runs on top of Varnish
• Protecting your code from other people’s bugs / HN