Claude Cowork runs Linux VM via Apple virtualization framework

Is there an easy way to do something similar for Claude Code? I'm growing tired of babysitting it to make sure it doesn't do anything bad.

Late adopter. Started last night. Stayed up four hours past my normal bedtime because I couldn't stop. (Ended up "building" a fancy .MOD player for DOS in Turbo C.)

Needed the Max 5x plan after two hours. (The 'Pro' plan should be renamed 'Sampler', made one-time and free with CC details.) Max 5x seems like it can sustain my current appetite.

I very quickly went from thinking it was overpriced (around 100 USD/month) to worrying that this pricing can't last. I think I get about 50 working hours per week with this plan. So, running the numbers I guess the hourly cost is about 50 cents.

How about the windows App ?

Is there an easy way to do something similar for Claude Code? I'm growing tired of babysitting it to make sure it doesn't do anything bad.

Late adopter. Started last night. Stayed up four hours past my normal bedtime because I couldn't stop. (Ended up "building" a fancy .MOD player for DOS in Turbo C.)

Needed the Max 5x plan after two hours. (The 'Pro' plan should be renamed 'Sampler', made one-time and free with CC details.) Max 5x seems like it can sustain my current appetite.

Isn't the easy way just a development VM? As in:

Install your OS of choice in a virtual machine, e.g. even hosted on your main machine.

Install the AI coding tool in the virtual machine.

Set up a shared folder between host+guest OS.

Only let the VM access files that are "safe" for it to access. Its own repo, in its own folder.

If you want to give the AI tool and VM internet access and tool access, just limit what it can reach to things it is allowed to go haywire on. All the internet and all OS tools are ok. But don't let this AI do "real things" on "real platforms" -- limit the scope of what it "works on" to development assets.

When deploying to staging or prod, copy/sync files out of the shared folder that the AI develops on, and run them. But check them first for subterfuge.

So, don't give the AI access to "prod" configs/files/services/secrets, or general personal/work data, etc. Manage those in other "folders" entirely, not accessible by the development VM at all.

Is that close?

From within VSCode, you can run devcontainers, which bind mounts the project's directory into an isolated Docker container. Safe for --dangerously-skip-permissions

https://code.visualstudio.com/docs/devcontainers/containers

Use a devcontainer. Claude Code's repo has one built specifically for it:

https://github.com/anthropics/claude-code/tree/main/.devcont...

Simon Willison just posted about using claude in fly.io's dev sandboxes. I have not tried it yet but it looks promising.

https://simonw.substack.com/p/first-impressions-of-claude-co...

Docker desktop has a pretty nice sandbox feature that will also store your CC (and other) credentials, so you don't have to re-auth every time you create a new container.

I built something to use for myself which is organized workspaces to work on many things with Claude in parallel with the ability to run things in VMs and linked web browsers all contained in one app. I built it mostly driven by trying to work on too many things at once and getting lost in a sea of windows and browser tabs.

It is not at all ready for public consumption (a face only a mother could love, in other words it's a bugridden mess), but I've considered polishing it and releasing it to the public either as open source or for profit.

Most of it is written with Claude and I've run into roadblocks with Claude being able to do too many things at once and am rewriting as several libraries to improve the focus for Claude agents.

I have 30 lines of zsh and I just say "dev1" dev2 etc.

And it makes a new lxd container using my base image. Connects using tmux so I can resume anytime after closing the session.

Its like exe.dev or sprites without much effort if you want to self host.

Genuine advice: supplement your Claude Code plan with a GLM Coding plan: https://z.ai/subscribe

GLM 4.7 is not a "Sonnet killer" but it will work just as well for sketching out easier projects, web design and terminal usage. After a while I cancelled my Claude Code plan because I simply didn't do anything that GLM couldn't hammer out equally as well.

Maybe not easy or for everyone but you can set a Virtualbox VM running a headless linux of your choice, install directory sharing like samba and your AI agents of choice. Then you can just have multiple SSH sessions to interact with the agents and `tail` logs.

Isn't the easy way just a development VM? As in:

Install your OS of choice in a virtual machine, e.g. even hosted on your main machine.

Install the AI coding tool in the virtual machine.

Set up a shared folder between host+guest OS.

Only let the VM access files that are "safe" for it to access. Its own repo, in its own folder.

When deploying to staging or prod, copy/sync files out of the shared folder that the AI develops on, and run them. But check them first for subterfuge.

So, don't give the AI access to "prod" configs/files/services/secrets, or general personal/work data, etc. Manage those in other "folders" entirely, not accessible by the development VM at all.

Is that close?

Here are my open-source (MIT) solutions for Mac development:

SandVault [0]: Run AI agents isolated in a sandboxed macOS user account

ClodPod [1]: Run AI agents isolated inside an OSX virtual machine

0: https://github.com/webcoyote/sandvault

1: https://github.com/webcoyote/clodpod

Automating this setup is also somewhat easily possible with, e. G., Lima[0] or HashiCorp vagrant[1].

[0]: https://lima-vm.io/

[1]: https://developer.hashicorp.com/vagrant

Did somewhat exactly that for apple container based sandbox - Coderunner[1]. You can use it to safely execute ai generated code via an MCP at http://coderunner.local:8222

A fun fact about apple containers[2], it's more isolated than docker containers as in it doesn't share the VM across all containers.

1. https://github.com/instavm/coderunner

2. https://github.com/apple/container

I'd just do it over a Docker mount (or equivalent) to keep it a bit more lightweight. Can keep the LLM running local; and teach it how to test/debug via instruction files.

you can also just type “docker sandbox run claude” if you have docker desktop installed (or something along those lines)

edit: it only mounts $PWD

How about the windows App ?

Is that even a sandbox?

I thought it was just a wrapper around an (old) existing tool that has been infinitely rebranded. Their old "remote desktop" program and some web listing capabilities to launch it in "rootless" mode.

Cowork is only available on macOS for now I think.

Did somewhat exactly that for apple container based sandbox - Coderunner[1]. You can use it to safely execute ai generated code via an MCP at http://coderunner.local:8222

A fun fact about apple containers[2], it's more isolated than docker containers as in it doesn't share the VM across all containers.

1. https://github.com/instavm/coderunner

2. https://github.com/apple/container

I'd just do it over a Docker mount (or equivalent) to keep it a bit more lightweight. Can keep the LLM running local; and teach it how to test/debug via instruction files.

From within VSCode, you can run devcontainers, which bind mounts the project's directory into an isolated Docker container. Safe for --dangerously-skip-permissions

https://code.visualstudio.com/docs/devcontainers/containers

Tried this the other day and the setup on this is super cumbersome and requires you to constantly rebuild your entire dev and Claude Code environment every time you use a new container, including whitelisting URLs for package managers and the like.

As a note, running devcontainers in VSCode is easy, but not required. There is also a CLI tool that uses the same specifications.

You can install it with brew or npm.

I have 30 lines of zsh and I just say "dev1" dev2 etc.

And it makes a new lxd container using my base image. Connects using tmux so I can resume anytime after closing the session.

Its like exe.dev or sprites without much effort if you want to self host.

Simon Willison just posted about using claude in fly.io's dev sandboxes. I have not tried it yet but it looks promising.

https://simonw.substack.com/p/first-impressions-of-claude-co...

Genuine advice: supplement your Claude Code plan with a GLM Coding plan: https://z.ai/subscribe

Docker desktop has a pretty nice sandbox feature that will also store your CC (and other) credentials, so you don't have to re-auth every time you create a new container.

Funnily enough, we shipped the Docker Desktop VM a decade ago now (experience report at https://dl.acm.org/doi/10.1145/3747525). The embedded VM in DD is much more stripped down than the one in Claude Cowork (its based on https://github.com/linuxkit/linuxkit), and its more specialised to container workloads rather than just using bubblewrap for sandboxing (system services run in their own isolated namespaces).

Given how many products seem to be using this shipping-Linux-as-a-library-VM trick these days, it's probably a good time for an open source project to step up to supply a more reusable way of assembling this layer into a proper Mac library...

Use a devcontainer. Claude Code's repo has one built specifically for it:

https://github.com/anthropics/claude-code/tree/main/.devcont...

The Claude Code devcontainer works really well, especially the firewalling script! I had do a bit of GitHub Actions spelunking to figure out how to build binary images (with my own devtools preinstalled), which I wrote up here: https://anil.recoil.org/notes/ocaml-claude-dev

With this I have a nice loop where I get Claude to analyse its own sessions via a cronjob and rewrite my devcontainer Dockerfile to have any packages that I've started using during the interactive sessions. This rebuilds via GHActions and my fresh image the next day has an updated Claude and dev environment in a sandbox.

Most of it is written with Claude and I've run into roadblocks with Claude being able to do too many things at once and am rewriting as several libraries to improve the focus for Claude agents.

> The sandboxed bash tool uses OS-level primitives to enforce both filesystem and network isolation.

As I can't trust Claude Code to use a correct shell, I don't know why I would trust this feature.

Note that there are reports that it can disable sandbox, so personally I wouldn't trust this.

Automating this setup is also somewhat easily possible with, e. G., Lima[0] or HashiCorp vagrant[1].

[0]: https://lima-vm.io/

[1]: https://developer.hashicorp.com/vagrant

you can also just type “docker sandbox run claude” if you have docker desktop installed (or something along those lines)

edit: it only mounts $PWD

Here are my open-source (MIT) solutions for Mac development:

SandVault [0]: Run AI agents isolated in a sandboxed macOS user account

ClodPod [1]: Run AI agents isolated inside an OSX virtual machine

0: https://github.com/webcoyote/sandvault

1: https://github.com/webcoyote/clodpod

Thanks for sharing. Which one do you use for what?

Cowork is only available on macOS for now I think.

As a note, running devcontainers in VSCode is easy, but not required. There is also a CLI tool that uses the same specifications.

You can install it with brew or npm.

I assume that you are talking about the [devcontainers LCI](https://github.com/devcontainers/cli) when you say "a CLI"?

There are techniques to mitigate this. You can reuse containers instead of creating a new one each time. You can mount in directories (like ~/.claude) from your local machine so you dont have to set claude up each time.

Is that even a sandbox?

I thought it was just a wrapper around an (old) existing tool that has been infinitely rebranded. Their old "remote desktop" program and some web listing capabilities to launch it in "rootless" mode.

Yes, there is a sandbox.

https://simonwillison.net/2026/Jan/12/claude-cowork/

That’s the point of this gist, and the related blog post.

Also, it’s a bit of a stretch to call Claude Code, which isn’t even a year old…old.

Note that there are reports that it can disable sandbox, so personally I wouldn't trust this.

> The sandboxed bash tool uses OS-level primitives to enforce both filesystem and network isolation.

As I can't trust Claude Code to use a correct shell, I don't know why I would trust this feature.

Thanks for sharing. Which one do you use for what?

I use agents in a container and persist their config like you suggest. After seeing some interest I shared my setup at https://github.com/asfaload/agents_container It works fine for me on Linux.

I assume that you are talking about the [devcontainers LCI](https://github.com/devcontainers/cli) when you say "a CLI"?

Yes. I probably should have included the link.

I stated using devcontainers through VSCode and find them incredibly helpful. It’s great for me to be able to load up exact coding environments on different computers. But, I only used them through VSCode.

When I wanted to branch out a bit (and especially using coding agents), I started using the CLI version more. I find devcontainers a great way to work with different coding projects and wanted to make sure people knew that there was a way to use them outside of VSCode.

Yes, there is a sandbox.

https://simonwillison.net/2026/Jan/12/claude-cowork/

That’s the point of this gist, and the related blog post.

Also, it’s a bit of a stretch to call Claude Code, which isn’t even a year old…old.

sorry, thought you meant the “Windows App” from microsoft.

https://apps.apple.com/us/app/windows-app/id1295203466

I use agents in a container and persist their config like you suggest. After seeing some interest I shared my setup at https://github.com/asfaload/agents_container It works fine for me on Linux.

sorry, thought you meant the “Windows App” from microsoft.

https://apps.apple.com/us/app/windows-app/id1295203466

Yes. I probably should have included the link.

Generated: January 13, 2026 Session ID: brave-loving-maxwell

Executive Summary

This report details the Linux container environment powering the Claude AI assistant's "Cowork mode." The environment is a lightweight, highly sandboxed Ubuntu 22.04 LTS virtual machine running on ARM64 architecture, designed to provide secure code execution capabilities while maintaining strict isolation from the host system.

System Overview

Operating System

Distribution: Ubuntu 22.04.5 LTS (Jammy Jellyfish)
Kernel: Linux 6.8.0-90-generic (PREEMPT_DYNAMIC)
Architecture: aarch64 (ARM64)
Hostname: claude

Hardware Resources

Resource	Specification
CPU	4 ARM64 cores @ 48 BogoMIPS each
RAM	3.8 GiB total, ~2.8 GiB available
Swap	None configured
Root Disk	10 GB NVMe (nvme0n1)
Session Disk	10 GB NVMe (nvme1n1)

CPU Features

The ARM64 processor includes advanced features such as hardware cryptographic acceleration (AES, SHA1, SHA2, SHA3, SHA512), atomic operations, pointer authentication (PACA/PACG), and branch target identification (BTI) for security.

Sandboxing Architecture

Bubblewrap (bwrap) Isolation

The container uses Bubblewrap as its primary sandboxing mechanism. Key isolation features include:

Network Isolation: --unshare-net creates a separate network namespace
PID Isolation: --unshare-pid provides process namespace isolation
Die-with-parent: Container terminates when parent process exits
New Session: Prevents terminal hijacking attacks

Seccomp Filtering

The environment employs strict seccomp (Secure Computing Mode) filtering:

Seccomp Mode: 2 (filter mode)
Active Filters: 2 seccomp filters applied
NoNewPrivs: Enabled (prevents privilege escalation)
Capabilities: All capabilities dropped (CapEff = 0)

A custom BPF (Berkeley Packet Filter) program at /usr/local/lib/node_modules_global/lib/node_modules/@anthropic-ai/sandbox-runtime/vendor/seccomp/arm64/unix-block.bpf enforces syscall restrictions.

Network Proxy Architecture

All network traffic is proxied through local tunnels:

Protocol	Proxy
HTTP/HTTPS	`http://localhost:3128`
SOCKS5	`socks5h://localhost:1080`
FTP/GRPC	`socks5h://localhost:1080`

socat processes forward traffic through Unix sockets to the host:

HTTP: /tmp/claude-http-*.sock
SOCKS: /tmp/claude-socks-*.sock

Filesystem Layout

Disk Partitions

Device	Mount Point	Size	Usage	Filesystem
nvme0n1p1	/	9.6G	75%	ext4
nvme0n1p15	/boot/efi	98M	7%	vfat
nvme1n1	/sessions	10G	<1%	ext4

Session Directory Structure

/sessions/brave-loving-maxwell/
├── .bash_logout
├── .bashrc
├── .profile
├── mnt/
│   ├── .claude/          # Claude configuration
│   ├── .skills/          # Available skill modules
│   │   └── skills/
│   │       ├── algorithmic-art/
│   │       ├── canvas-design/
│   │       ├── docx/
│   │       ├── pdf/
│   │       ├── pptx/
│   │       ├── skill-creator/
│   │       └── xlsx/
│   ├── outputs/          # User-accessible output directory
│   └── uploads/          # User file uploads
└── tmp/                  # Temporary files

BindFS Mounts

Several directories use bindfs to map host filesystem locations with controlled permissions:

/sessions/brave-loving-maxwell/mnt/.skills (927G available - host disk)
/sessions/brave-loving-maxwell/mnt/outputs (user's workspace folder)
/sessions/brave-loving-maxwell/mnt/uploads (uploaded files)
/sessions/brave-loving-maxwell/mnt/.claude (configuration)

Installed Software

Development Tools

The environment includes approximately 1,201 packages. Key development tools:

Tool	Version
Python	3.10.12
Node.js	22.21.0
npm	10.9.4
pip	22.0.2
GCC	11.4.0
Java (OpenJDK)	11.0.29

Note: Go, Rust, and Docker are not available in this environment.

Snap Packages

core20 (versions 2683, 2690)
lxd (version 36562)
snapd (versions 25585, 25939)

Process Architecture

Running Processes

PID	Process	Description
1	bwrap	Bubblewrap sandbox orchestrator
2	bash	Shell wrapper managing proxy daemons
3	socat	HTTP proxy forwarder (port 3128)
4	socat	SOCKS proxy forwarder (port 1080)
5	claude	Main Claude Code agent process

The main Claude process runs with the claude-opus-4-5-20251101 model and has access to specific allowed tools: Task, Bash, Glob, Grep, Read, Edit, Write, and more.

MCP (Model Context Protocol) Servers

Two MCP servers are configured:

Claude in Chrome - Browser automation capabilities
b89c1e3a-f5c6-4dec-9d8a-0b3db0a78353 - Cloudflare integration

Resource Limits

Limit	Value
Open Files	524,288
Max User Processes	14,813
Stack Size	8 MB
Max Locked Memory	8 MB
CPU Time	Unlimited
Virtual Memory	Unlimited
File Size	Unlimited

User and Permissions

Current User

Username: brave-loving-maxwell
UID/GID: 1002:1002
Home: /sessions/brave-loving-maxwell
Shell: /bin/bash

Permission Model

User runs with zero capabilities
NoNewPrivs flag prevents privilege escalation
Seccomp filters restrict available syscalls
Network access only via controlled proxies

Security Analysis

Strengths

Multi-layer Isolation: Combines namespace isolation, seccomp filtering, and capability dropping
Network Control: All traffic proxied and monitorable
Ephemeral Sessions: Filesystem resets between tasks (except workspace folder)
No Root Access: User has no elevated privileges
Die-with-parent: Ensures cleanup on session termination

Architecture Diagram

┌─────────────────────────────────────────────────────────┐
│                     Host System                          │
│  ┌───────────────────────────────────────────────────┐  │
│  │              Bubblewrap Sandbox                    │  │
│  │  ┌─────────────────────────────────────────────┐  │  │
│  │  │            Ubuntu 22.04 VM                   │  │  │
│  │  │  ┌────────────────────────────────────────┐ │  │  │
│  │  │  │         Claude Code Agent              │ │  │  │
│  │  │  │  - Opus 4.5 Model                      │ │  │  │
│  │  │  │  - Tool Access (Bash, Read, Write...)  │ │  │  │
│  │  │  └────────────────────────────────────────┘ │  │  │
│  │  │                     │                        │  │  │
│  │  │  ┌─────────┐   ┌────┴────┐   ┌───────────┐  │  │  │
│  │  │  │ socat   │   │ socat   │   │ Session   │  │  │  │
│  │  │  │ :3128   │   │ :1080   │   │ Storage   │  │  │  │
│  │  │  └────┬────┘   └────┬────┘   └───────────┘  │  │  │
│  │  └───────┼─────────────┼───────────────────────┘  │  │
│  └──────────┼─────────────┼──────────────────────────┘  │
│             │             │                              │
│      Unix Socket    Unix Socket                          │
│             │             │                              │
│         HTTP Proxy    SOCKS Proxy                        │
└─────────────────────────────────────────────────────────┘

Conclusion

This container environment represents a thoughtfully designed sandbox for AI-assisted computing. It balances functionality (full development toolchain, file manipulation, network access) with security (strict isolation, capability dropping, traffic monitoring). The ephemeral nature of the session filesystem combined with persistent workspace folders provides both safety and utility for end users.

The environment is specifically optimized for the Claude Code agent, providing the tools necessary for code execution, file creation, and web access while maintaining strong isolation boundaries to protect both the user's system and the broader infrastructure.

Hacker Times