-
-
Save splitbrain/5b20b82abfcd874c0b5b6ed22cb40443 to your computer and use it in GitHub Desktop.
bubblewrap setup for claude code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/bash | |
| # bubblewrap setup based on https://blog.senko.net/sandboxing-ai-agents-in-linux | |
| # when working on DokuWiki plugins, I want access to dokuwiki above | |
| case "$(basename "$0")" in | |
| sboxdw) bind_dir="$(realpath "$PWD/../../..")" ;; | |
| *) bind_dir="$PWD" ;; | |
| esac | |
| # environment variables to pass through | |
| env_vars=( | |
| 'LANG' | |
| 'TERM' | |
| 'COLORTERM' | |
| 'HOME' | |
| 'USER' | |
| 'PATH' | |
| # for X access | |
| 'DISPLAY' | |
| 'XAUTHORITY' | |
| # git config | |
| 'GIT_COMMITTER_EMAIL' # changes during the day | |
| 'GIT_AUTHOR_EMAIL' # changes during the day | |
| 'GH_TOKEN' # for gh cli utility | |
| ) | |
| # read-only bind mounts (same source and destination) | |
| ro_binds=( | |
| # basic host info | |
| /etc/machine-id | |
| /etc/alternatives | |
| /etc/resolv.conf | |
| /etc/profile.d | |
| /etc/bash_completion.d | |
| /etc/ca-certificates | |
| /etc/ssl | |
| /etc/ld.so.cache | |
| /etc/ld.so.conf | |
| /etc/ld.so.conf.d | |
| /etc/localtime | |
| /etc/nsswitch.conf | |
| /etc/php | |
| /etc/passwd | |
| /etc/hosts | |
| /usr/share | |
| # standard tools and libs | |
| /bin | |
| /lib | |
| /lib64 | |
| /usr/bin | |
| /usr/lib | |
| /usr/local/bin | |
| /usr/local/lib | |
| /usr/include | |
| /opt | |
| # X GUI Tools (playwright) | |
| ${XAUTHORITY:+"$XAUTHORITY"} | |
| /etc/fonts | |
| /usr/share/fonts | |
| /tmp/.X11-unix | |
| /run/dbus | |
| # user config | |
| "$HOME/.gitconfig" | |
| "$HOME/.gitignore" | |
| "$HOME/.local" | |
| "$HOME/.bin" | |
| "$HOME/sync/root/bin" | |
| ) | |
| # read-write bind mounts (same source and destination) | |
| binds=( | |
| "/run/user/$(id -u)" # for X connections | |
| "/var/run/docker.sock" # for docker (compose) access | |
| "$HOME/.npm" | |
| "$HOME/.claude" | |
| "$HOME/.claude.json" | |
| "$HOME/.cache" | |
| "$bind_dir" | |
| ) | |
| # addtional bubblewrap options | |
| opts=( | |
| --tmpfs /tmp | |
| --dev /dev | |
| --proc /proc | |
| --unshare-uts | |
| --clearenv | |
| --setenv XDG_RUNTIME_DIR "/run/user/$(id -u)" # for X connections | |
| ) | |
| for var in "${env_vars[@]}"; do | |
| [[ -v "$var" ]] && opts+=(--setenv "$var" "${!var}") | |
| done | |
| for path in "${ro_binds[@]}"; do | |
| [[ -e "$path" ]] && opts+=(--ro-bind "$path" "$path") | |
| done | |
| for path in "${binds[@]}"; do | |
| [[ -e "$path" ]] && opts+=(--bind "$path" "$path") | |
| done | |
| exec /usr/bin/bwrap "${opts[@]}" -- "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment