Created
March 20, 2026 16:53
-
-
Save webstrand/9d264a767bee5d9be6bcb895627d07ae to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -euo pipefail | |
| if [ $# -eq 0 ]; then | |
| echo "Usage: $(basename "$0") <command> [args...]" >&2 | |
| exit 1 | |
| fi | |
| # Re-exec inside pasta netns | |
| # When pasta calls us back, SANDBOX_STAGE=nft | |
| if [ "${SANDBOX_STAGE:-}" = "nft" ]; then | |
| # We're now inside pasta's netns with CAP_NET_ADMIN. | |
| # Set up nftables before dropping into bwrap. | |
| ANTHROPIC_V4="160.79.104.0/23" | |
| ANTHROPIC_V6="2607:6bc0::/48" | |
| nft -f - <<EOF | |
| table inet filter { | |
| chain output { | |
| type filter hook output priority 0; policy drop; | |
| oifname "lo" accept | |
| udp dport 53 accept | |
| tcp dport 53 accept | |
| ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept | |
| ip6 daddr { ::1/128, fe80::/10, fd00::/8 } accept | |
| ip daddr $ANTHROPIC_V4 accept | |
| ip6 daddr $ANTHROPIC_V6 accept | |
| reject with icmpx admin-prohibited | |
| } | |
| } | |
| EOF | |
| # ── Read-only paths to expose under $HOME ── | |
| RO_HOME_PATHS=( | |
| .cargo | |
| .local/bin | |
| .local/share | |
| .config/git | |
| .gitconfig | |
| .bashrc | |
| .profile | |
| .subversion | |
| ) | |
| # ── Read-write paths under $HOME ── | |
| RW_HOME_PATHS=( | |
| .claude | |
| .claude.json | |
| .config/claude | |
| .rustup | |
| .local/share/pnpm | |
| ) | |
| # ── Build bwrap args ── | |
| args=( | |
| --ro-bind / / | |
| --tmpfs "$HOME" | |
| --bind "$SANDBOX_CWD" "$SANDBOX_CWD" | |
| --bind "$SANDBOX_CWD" "/tmp/project" | |
| --dev /dev | |
| --proc /proc | |
| --tmpfs /tmp | |
| --unshare-all | |
| --share-net | |
| --die-with-parent | |
| ) | |
| for p in "${RO_HOME_PATHS[@]}"; do | |
| src="$HOME/$p" | |
| [ -e "$src" ] && args+=(--ro-bind "$src" "$src") | |
| done | |
| for p in "${RW_HOME_PATHS[@]}"; do | |
| src="$HOME/$p" | |
| [ -e "$src" ] && args+=(--bind "$src" "$src") | |
| done | |
| exec bwrap "${args[@]}" \ | |
| --uid "$SANDBOX_UID" --gid "$SANDBOX_GID" \ | |
| --setenv USER "$USER" \ | |
| --setenv HOME "$HOME" \ | |
| --setenv RUSTUP_TOOLCHAIN "nightly" \ | |
| "$@" | |
| fi | |
| # Guard against running from inside $HOME | |
| if [[ "$(pwd)" == "$HOME" ]]; then | |
| echo "Error: don't run this from \$HOME itself, it'll punch through the tmpfs" >&2 | |
| exit 1 | |
| fi | |
| export SANDBOX_STAGE=nft | |
| export SANDBOX_CWD="$(pwd)" | |
| export SANDBOX_UID="$(id -u)" | |
| export SANDBOX_GID="$(id -g)" | |
| exec osc11wrap pasta --config-net -- "$0" "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment