Claude Cowork 通过苹果虚拟化框架运行 Linux 虚拟机。

Claude Cowork 通过苹果虚拟化框架运行 Linux 虚拟机。
Claude Cowork runs Linux VM via Apple virtualization framework

原始链接: https://gist.github.com/simonw/35732f187edbe4fbd0bf976d013f22c8

## Claude “协同模式”容器环境概要 Claude AI 助手的“协同模式”运行在一个高度安全、沙箱化的 Linux 容器环境中。该容器基于 Ubuntu 22.04 LTS，针对 ARM64 架构构建，优先通过 Bubblewrap 与主机系统隔离，采用网络和 PID 命名空间分离，以及“父进程死亡则子进程也死亡”的策略。安全性通过严格的 seccomp 过滤、删除的权限和硬件加速的密码学进一步加强。所有网络流量都通过本地隧道进行代理，以便监控和控制。该环境具有 10GB 根磁盘和 10GB 会话磁盘，用户文件存储在持久化工作区和上传目录中。它包含完整的开发工具链（Python、Node.js、GCC、Java），但不包括 Go、Rust 和 Docker。核心进程运行 Claude Opus 4.5 模型，可以访问 Bash、Read 和 Write 等工具。这种设计在功能性和强大的安全措施之间取得了平衡——临时会话、无 root 访问权限和多层隔离——为 AI 辅助的代码执行和文件操作创建了一个安全可控的环境。

## Claude 代码与安全人工智能开发：摘要一则 Hacker News 讨论围绕安全使用 Claude 代码等人工智能编码助手展开，特别是针对潜在风险的担忧，例如不希望的文件修改或凭证泄露。许多用户分享了将 Claude 代码隔离在沙盒环境中的解决方案。流行的方案包括使用虚拟机 (VM) 通过 Apple 的虚拟化框架（如“Claude Cowork”所演示），Docker 容器（VSCode 中的 devcontainers 是一个便捷选项），以及专为 Mac 开发设计的 Lima、Vagrant、SandVault 和 ClodPod 等工具。核心思想是限制人工智能访问敏感文件和系统，将其限制在开发资源中。用户还建议使用 Claude 代码的网页版本或在容器会话之间持久化配置。虽然 Claude 代码提供了一个内置的沙盒，但一些人对其可靠性表示怀疑。许多用户建议将 Claude 代码与其他模型（如 GLM）结合使用，以处理不太繁重的任务。这次讨论强调了在将人工智能编码工具集成到开发流程中时，采取主动安全措施的重要性。

原文

Generated: January 13, 2026 Session ID: brave-loving-maxwell

This report details the Linux container environment powering the Claude AI assistant's "Cowork mode." The environment is a lightweight, highly sandboxed Ubuntu 22.04 LTS virtual machine running on ARM64 architecture, designed to provide secure code execution capabilities while maintaining strict isolation from the host system.

Distribution: Ubuntu 22.04.5 LTS (Jammy Jellyfish)
Kernel: Linux 6.8.0-90-generic (PREEMPT_DYNAMIC)
Architecture: aarch64 (ARM64)
Hostname: claude

Resource	Specification
CPU	4 ARM64 cores @ 48 BogoMIPS each
RAM	3.8 GiB total, ~2.8 GiB available
Swap	None configured
Root Disk	10 GB NVMe (nvme0n1)
Session Disk	10 GB NVMe (nvme1n1)

The ARM64 processor includes advanced features such as hardware cryptographic acceleration (AES, SHA1, SHA2, SHA3, SHA512), atomic operations, pointer authentication (PACA/PACG), and branch target identification (BTI) for security.

Bubblewrap (bwrap) Isolation

The container uses Bubblewrap as its primary sandboxing mechanism. Key isolation features include:

Network Isolation: --unshare-net creates a separate network namespace
PID Isolation: --unshare-pid provides process namespace isolation
Die-with-parent: Container terminates when parent process exits
New Session: Prevents terminal hijacking attacks

The environment employs strict seccomp (Secure Computing Mode) filtering:

Seccomp Mode: 2 (filter mode)
Active Filters: 2 seccomp filters applied
NoNewPrivs: Enabled (prevents privilege escalation)
Capabilities: All capabilities dropped (CapEff = 0)

A custom BPF (Berkeley Packet Filter) program at /usr/local/lib/node_modules_global/lib/node_modules/@anthropic-ai/sandbox-runtime/vendor/seccomp/arm64/unix-block.bpf enforces syscall restrictions.

Network Proxy Architecture

All network traffic is proxied through local tunnels:

Protocol	Proxy
HTTP/HTTPS	`http://localhost:3128`
SOCKS5	`socks5h://localhost:1080`
FTP/GRPC	`socks5h://localhost:1080`

socat processes forward traffic through Unix sockets to the host:

HTTP: /tmp/claude-http-*.sock
SOCKS: /tmp/claude-socks-*.sock

Device	Mount Point	Size	Usage	Filesystem
nvme0n1p1	/	9.6G	75%	ext4
nvme0n1p15	/boot/efi	98M	7%	vfat
nvme1n1	/sessions	10G	<1%	ext4

Session Directory Structure

/sessions/brave-loving-maxwell/
├── .bash_logout
├── .bashrc
├── .profile
├── mnt/
│   ├── .claude/          # Claude configuration
│   ├── .skills/          # Available skill modules
│   │   └── skills/
│   │       ├── algorithmic-art/
│   │       ├── canvas-design/
│   │       ├── docx/
│   │       ├── pdf/
│   │       ├── pptx/
│   │       ├── skill-creator/
│   │       └── xlsx/
│   ├── outputs/          # User-accessible output directory
│   └── uploads/          # User file uploads
└── tmp/                  # Temporary files

Several directories use bindfs to map host filesystem locations with controlled permissions:

/sessions/brave-loving-maxwell/mnt/.skills (927G available - host disk)
/sessions/brave-loving-maxwell/mnt/outputs (user's workspace folder)
/sessions/brave-loving-maxwell/mnt/uploads (uploaded files)
/sessions/brave-loving-maxwell/mnt/.claude (configuration)

The environment includes approximately 1,201 packages. Key development tools:

Tool	Version
Python	3.10.12
Node.js	22.21.0
npm	10.9.4
pip	22.0.2
GCC	11.4.0
Java (OpenJDK)	11.0.29

Note: Go, Rust, and Docker are not available in this environment.

core20 (versions 2683, 2690)
lxd (version 36562)
snapd (versions 25585, 25939)

PID	Process	Description
1	bwrap	Bubblewrap sandbox orchestrator
2	bash	Shell wrapper managing proxy daemons
3	socat	HTTP proxy forwarder (port 3128)
4	socat	SOCKS proxy forwarder (port 1080)
5	claude	Main Claude Code agent process

The main Claude process runs with the claude-opus-4-5-20251101 model and has access to specific allowed tools: Task, Bash, Glob, Grep, Read, Edit, Write, and more.

MCP (Model Context Protocol) Servers

Two MCP servers are configured:

Claude in Chrome - Browser automation capabilities
b89c1e3a-f5c6-4dec-9d8a-0b3db0a78353 - Cloudflare integration

Limit	Value
Open Files	524,288
Max User Processes	14,813
Stack Size	8 MB
Max Locked Memory	8 MB
CPU Time	Unlimited
Virtual Memory	Unlimited
File Size	Unlimited

Username: brave-loving-maxwell
UID/GID: 1002:1002
Home: /sessions/brave-loving-maxwell
Shell: /bin/bash

User runs with zero capabilities
NoNewPrivs flag prevents privilege escalation
Seccomp filters restrict available syscalls
Network access only via controlled proxies

Multi-layer Isolation: Combines namespace isolation, seccomp filtering, and capability dropping
Network Control: All traffic proxied and monitorable
Ephemeral Sessions: Filesystem resets between tasks (except workspace folder)
No Root Access: User has no elevated privileges
Die-with-parent: Ensures cleanup on session termination

┌─────────────────────────────────────────────────────────┐
│                     Host System                          │
│  ┌───────────────────────────────────────────────────┐  │
│  │              Bubblewrap Sandbox                    │  │
│  │  ┌─────────────────────────────────────────────┐  │  │
│  │  │            Ubuntu 22.04 VM                   │  │  │
│  │  │  ┌────────────────────────────────────────┐ │  │  │
│  │  │  │         Claude Code Agent              │ │  │  │
│  │  │  │  - Opus 4.5 Model                      │ │  │  │
│  │  │  │  - Tool Access (Bash, Read, Write...)  │ │  │  │
│  │  │  └────────────────────────────────────────┘ │  │  │
│  │  │                     │                        │  │  │
│  │  │  ┌─────────┐   ┌────┴────┐   ┌───────────┐  │  │  │
│  │  │  │ socat   │   │ socat   │   │ Session   │  │  │  │
│  │  │  │ :3128   │   │ :1080   │   │ Storage   │  │  │  │
│  │  │  └────┬────┘   └────┬────┘   └───────────┘  │  │  │
│  │  └───────┼─────────────┼───────────────────────┘  │  │
│  └──────────┼─────────────┼──────────────────────────┘  │
│             │             │                              │
│      Unix Socket    Unix Socket                          │
│             │             │                              │
│         HTTP Proxy    SOCKS Proxy                        │
└─────────────────────────────────────────────────────────┘

This container environment represents a thoughtfully designed sandbox for AI-assisted computing. It balances functionality (full development toolchain, file manipulation, network access) with security (strict isolation, capability dropping, traffic monitoring). The ephemeral nature of the session filesystem combined with persistent workspace folders provides both safety and utility for end users.

The environment is specifically optimized for the Claude Code agent, providing the tools necessary for code execution, file creation, and web access while maintaining strong isolation boundaries to protect both the user's system and the broader infrastructure.