Jump to content

Claude Code Isolation and Burner Workflow 260211

From Game in the Brain Wiki
Revision as of 12:53, 12 February 2026 by Justinaquino (talk | contribs) (Created page with "= Sandboxing Claude Code with Distrobox and Firejail = == Overview == This guide documents how to run Claude Code in an isolated environment using two layers of sandboxing: # '''Distrobox''' — runs Claude Code inside a Linux container, isolating it from the host system. # '''Firejail''' — runs inside the container and further restricts Claude Code to a single project directory. This protects against malicious prompt injection by limiting what Claude Code can acce...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Sandboxing Claude Code with Distrobox and Firejail

Overview

This guide documents how to run Claude Code in an isolated environment using two layers of sandboxing:

  1. Distrobox — runs Claude Code inside a Linux container, isolating it from the host system.
  2. Firejail — runs inside the container and further restricts Claude Code to a single project directory.

This protects against malicious prompt injection by limiting what Claude Code can access, even if it is tricked into running harmful commands.

Prerequisites

  • A Linux host (Fedora, Ubuntu, Arch, etc.)
  • Distrobox installed on the host
  • BoxBuddy (optional GUI for managing distrobox containers)
  • A Claude Code account and API access

Step 1: Install Distrobox and BoxBuddy on the Host

Install distrobox on your host system: 

sudo apt install distrobox    # Debian/Ubuntu
sudo dnf install distrobox    # Fedora
yay -S distrobox              # Arch (AUR)

Optionally install BoxBuddy for a graphical interface to manage your containers: 

flatpak install flathub io.github.dvlv.boxbuddy

Step 2: Create a Distrobox Container

Create a new container (Ubuntu-based in this example): 

distrobox create --name claude-container --image ubuntu:24.04

Enter the container: 

distrobox enter claude-container

Or use BoxBuddy to create and enter the container via the GUI.

Step 3: Install Claude Code Inside the Container

Inside the distrobox container, install Node.js (if not already present) and Claude Code: 

npm install -g @anthropic-ai/claude-code

Log in and verify it works: 

claude

Step 4: Create a Dedicated Project Directory

Inside the container, create the directory where all Claude Code work will happen: 

mkdir -p ~/claude_workspace
cd ~/claude_workspace

This is the only directory Claude Code will be able to access when sandboxed.

Step 5: Install Firejail Inside the Container

Inside the distrobox container: 

sudo apt install firejail

Verify the installation: 

firejail --version

Step 6: Create the Launcher Script

Inside the project directory (~/claude_workspace), create the launcher script run_claude.sh: 

nano ~/claude_workspace/run_claude.sh

With the following contents: 

#!/bin/bash
# Launch Claude Code sandboxed to this directory using firejail
# Usage: ./run_claude.sh [claude args...]

WORK_DIR="$(cd "$(dirname "$0")" && pwd)"
CLAUDE_DIR="$HOME/.claude"

# Check firejail is installed
if ! command -v firejail &>/dev/null; then
    echo "Error: firejail is not installed. Install with: sudo apt install firejail"
    exit 1
fi

# Check claude is installed
if ! command -v claude &>/dev/null; then
    echo "Error: claude is not installed or not in PATH"
    exit 1
fi

CLAUDE_BIN="$(which claude)"

echo "Starting Claude Code in sandbox..."
echo "  Allowed directory: $WORK_DIR"
echo "  Config directory:  $CLAUDE_DIR (read-only)"
echo ""

exec firejail --noprofile \
    --whitelist="$WORK_DIR" \
    --whitelist="$CLAUDE_DIR" \
    --read-only="$CLAUDE_DIR" \
    --noroot \
    --caps.drop=all \
    "$CLAUDE_BIN" "$@"

Make it executable: 

chmod +x ~/claude_workspace/run_claude.sh

Step 7: Launch Claude Code in the Sandbox

Every time you want to use Claude Code, follow these steps:

1. Enter your distrobox container: 

distrobox enter claude-container

2. Navigate to the project directory: 

cd ~/claude_workspace

3. Run the launcher script: 

./run_claude.sh

Claude Code will start, restricted to only the ~/claude_workspace directory.

What Each Layer Protects

Layer What it does What it blocks
Distrobox Runs everything in a container Protects host system files, host packages, and host configuration from changes
Firejail Restricts filesystem access within the container Blocks access to everything outside ~/claude_workspace, prevents privilege escalation, drops Linux capabilities
run_claude.sh Automates launching with the correct flags Ensures you never accidentally run Claude Code without the sandbox

Verifying the Sandbox Works

Once Claude Code is running inside the sandbox, test it by asking Claude to:

  1. Read a file outside the project directory — should fail
  2. Run ls ~ — should only show whitelisted directories
  3. Run sudo anything — should be blocked
  4. Read ~/.ssh/id_rsa — should be inaccessible

Summary of Commands

# On the host — enter the container
distrobox enter claude-container

# Inside the container — go to the project directory
cd ~/claude_workspace

# Launch Claude Code in the sandbox
./run_claude.sh

Limitations

  • Firejail is Linux-only; this will not work on macOS or Windows.
  • Claude Code needs network access to reach the Anthropic API, so network is not blocked by default. Add --net=none to run_claude.sh to fully disable networking.
  • If ~/.claude is read-only, Claude Code cannot write session data (login tokens). Remove the --read-only line from the script if you wish to persist logins between sessions, though this slightly lowers security.
  • Distrobox shares the home directory with the host by default. Firejail's whitelist prevents Claude Code from accessing anything outside the project directory even so.

References

Retrieved from "http://wiki.gi7b.org/index.php?title=Claude_Code_Isolation_and_Burner_Workflow_260211&oldid=103"