# sandbox

> Landlock-based sandbox for CLI agents. Use when running untrusted code or protecting sensitive files.

- Author: Charles Cooper
- Repository: charles-cooper/agent-sandbox
- Version: 20260124193856
- Stars: 0
- Forks: 0
- Last Updated: 2026-02-06
- Source: https://github.com/charles-cooper/agent-sandbox
- Web: https://mule.run/skillshub/@@charles-cooper/agent-sandbox~sandbox:20260124193856

---

---
name: sandbox
description: Landlock-based sandbox for CLI agents. Use when running untrusted code or protecting sensitive files.
---

# Sandbox

Landlock-based sandbox using `landrun-agent` wrapper.

## Quick Reference

```bash
# Sandboxed by default (shell functions)
pi                              # sandboxed pi
claude                          # sandboxed claude

# Generic sandbox
sandbox npm install             # sandbox any command
sandbox --rw ./dist npm build   # with extra write path

# Escape hatches (use sparingly)
unsafe-pi                       # unsandboxed
unsafe-claude
```

## Per-Project Config

Create `.sandbox` in project root:

```
rw:./dist,./build              # extra read-write paths
ro:~/.aws                      # extra read-only paths
env:DATABASE_URL               # extra env vars
tcp:5432                       # extra TCP ports (443,80 default)
```

## Debugging

```bash
# See full landrun command
DEBUG=1 pi 2>&1 | head -20

# Check permission errors
strace -f landrun-agent --rw . pi 2>&1 | grep EPERM

# Verbose landrun
landrun --log-level debug --ldd --add-exec --ro /usr,/lib --rw . $(which pi)
```

## Default Permissions

**Read**: `/usr`, `/lib`, `/etc/ssl`, `~/.config/pi`, `~/.cache`, `~/.gitconfig`
**Write**: None (must pass `--rw` or use `.sandbox`)
**Network**: TCP 443, 80

**Protected by omission**: `~/.ssh`, `~/.gnupg`, `~/.aws`, `~/.config/gh`, `~/.password-store`

## Troubleshooting

| Issue | Solution |
|-------|----------|
| Permission denied | Check if path is in RO/RW allowlist |
| Library not found | `--ldd` should handle; check `ldd $(which cmd)` |
| Network blocked | Kernel 6.7+ required; check `uname -r` |
| Need full access | Use `unsafe-pi` / `unsafe-claude` consciously |

## Limitations

- Port-based network filtering only (no domain filtering)
- No glob patterns (Landlock uses concrete paths)
- `--rw ~` defeats the purpose - keep writes minimal