linux-container-environment-report.md

5 min read Original article ↗

Generated: January 13, 2026 Session ID: brave-loving-maxwell

Executive Summary

This report details the Linux container environment powering the Claude AI assistant's "Cowork mode." The environment is a lightweight, highly sandboxed Ubuntu 22.04 LTS virtual machine running on ARM64 architecture, designed to provide secure code execution capabilities while maintaining strict isolation from the host system.

System Overview

Operating System

  • Distribution: Ubuntu 22.04.5 LTS (Jammy Jellyfish)
  • Kernel: Linux 6.8.0-90-generic (PREEMPT_DYNAMIC)
  • Architecture: aarch64 (ARM64)
  • Hostname: claude

Hardware Resources

Resource Specification
CPU 4 ARM64 cores @ 48 BogoMIPS each
RAM 3.8 GiB total, ~2.8 GiB available
Swap None configured
Root Disk 10 GB NVMe (nvme0n1)
Session Disk 10 GB NVMe (nvme1n1)

CPU Features

The ARM64 processor includes advanced features such as hardware cryptographic acceleration (AES, SHA1, SHA2, SHA3, SHA512), atomic operations, pointer authentication (PACA/PACG), and branch target identification (BTI) for security.

Sandboxing Architecture

Bubblewrap (bwrap) Isolation

The container uses Bubblewrap as its primary sandboxing mechanism. Key isolation features include:

  • Network Isolation: --unshare-net creates a separate network namespace
  • PID Isolation: --unshare-pid provides process namespace isolation
  • Die-with-parent: Container terminates when parent process exits
  • New Session: Prevents terminal hijacking attacks

Seccomp Filtering

The environment employs strict seccomp (Secure Computing Mode) filtering:

  • Seccomp Mode: 2 (filter mode)
  • Active Filters: 2 seccomp filters applied
  • NoNewPrivs: Enabled (prevents privilege escalation)
  • Capabilities: All capabilities dropped (CapEff = 0)

A custom BPF (Berkeley Packet Filter) program at /usr/local/lib/node_modules_global/lib/node_modules/@anthropic-ai/sandbox-runtime/vendor/seccomp/arm64/unix-block.bpf enforces syscall restrictions.

Network Proxy Architecture

All network traffic is proxied through local tunnels:

Protocol Proxy
HTTP/HTTPS http://localhost:3128
SOCKS5 socks5h://localhost:1080
FTP/GRPC socks5h://localhost:1080

socat processes forward traffic through Unix sockets to the host:

  • HTTP: /tmp/claude-http-*.sock
  • SOCKS: /tmp/claude-socks-*.sock

Filesystem Layout

Disk Partitions

Device Mount Point Size Usage Filesystem
nvme0n1p1 / 9.6G 75% ext4
nvme0n1p15 /boot/efi 98M 7% vfat
nvme1n1 /sessions 10G <1% ext4

Session Directory Structure

/sessions/brave-loving-maxwell/
├── .bash_logout
├── .bashrc
├── .profile
├── mnt/
│   ├── .claude/          # Claude configuration
│   ├── .skills/          # Available skill modules
│   │   └── skills/
│   │       ├── algorithmic-art/
│   │       ├── canvas-design/
│   │       ├── docx/
│   │       ├── pdf/
│   │       ├── pptx/
│   │       ├── skill-creator/
│   │       └── xlsx/
│   ├── outputs/          # User-accessible output directory
│   └── uploads/          # User file uploads
└── tmp/                  # Temporary files

BindFS Mounts

Several directories use bindfs to map host filesystem locations with controlled permissions:

  • /sessions/brave-loving-maxwell/mnt/.skills (927G available - host disk)
  • /sessions/brave-loving-maxwell/mnt/outputs (user's workspace folder)
  • /sessions/brave-loving-maxwell/mnt/uploads (uploaded files)
  • /sessions/brave-loving-maxwell/mnt/.claude (configuration)

Installed Software

Development Tools

The environment includes approximately 1,201 packages. Key development tools:

Tool Version
Python 3.10.12
Node.js 22.21.0
npm 10.9.4
pip 22.0.2
GCC 11.4.0
Java (OpenJDK) 11.0.29

Note: Go, Rust, and Docker are not available in this environment.

Snap Packages

  • core20 (versions 2683, 2690)
  • lxd (version 36562)
  • snapd (versions 25585, 25939)

Process Architecture

Running Processes

PID Process Description
1 bwrap Bubblewrap sandbox orchestrator
2 bash Shell wrapper managing proxy daemons
3 socat HTTP proxy forwarder (port 3128)
4 socat SOCKS proxy forwarder (port 1080)
5 claude Main Claude Code agent process

The main Claude process runs with the claude-opus-4-5-20251101 model and has access to specific allowed tools: Task, Bash, Glob, Grep, Read, Edit, Write, and more.

MCP (Model Context Protocol) Servers

Two MCP servers are configured:

  1. Claude in Chrome - Browser automation capabilities
  2. b89c1e3a-f5c6-4dec-9d8a-0b3db0a78353 - Cloudflare integration

Resource Limits

Limit Value
Open Files 524,288
Max User Processes 14,813
Stack Size 8 MB
Max Locked Memory 8 MB
CPU Time Unlimited
Virtual Memory Unlimited
File Size Unlimited

User and Permissions

Current User

  • Username: brave-loving-maxwell
  • UID/GID: 1002:1002
  • Home: /sessions/brave-loving-maxwell
  • Shell: /bin/bash

Permission Model

  • User runs with zero capabilities
  • NoNewPrivs flag prevents privilege escalation
  • Seccomp filters restrict available syscalls
  • Network access only via controlled proxies

Security Analysis

Strengths

  1. Multi-layer Isolation: Combines namespace isolation, seccomp filtering, and capability dropping
  2. Network Control: All traffic proxied and monitorable
  3. Ephemeral Sessions: Filesystem resets between tasks (except workspace folder)
  4. No Root Access: User has no elevated privileges
  5. Die-with-parent: Ensures cleanup on session termination

Architecture Diagram

┌─────────────────────────────────────────────────────────┐
│                     Host System                          │
│  ┌───────────────────────────────────────────────────┐  │
│  │              Bubblewrap Sandbox                    │  │
│  │  ┌─────────────────────────────────────────────┐  │  │
│  │  │            Ubuntu 22.04 VM                   │  │  │
│  │  │  ┌────────────────────────────────────────┐ │  │  │
│  │  │  │         Claude Code Agent              │ │  │  │
│  │  │  │  - Opus 4.5 Model                      │ │  │  │
│  │  │  │  - Tool Access (Bash, Read, Write...)  │ │  │  │
│  │  │  └────────────────────────────────────────┘ │  │  │
│  │  │                     │                        │  │  │
│  │  │  ┌─────────┐   ┌────┴────┐   ┌───────────┐  │  │  │
│  │  │  │ socat   │   │ socat   │   │ Session   │  │  │  │
│  │  │  │ :3128   │   │ :1080   │   │ Storage   │  │  │  │
│  │  │  └────┬────┘   └────┬────┘   └───────────┘  │  │  │
│  │  └───────┼─────────────┼───────────────────────┘  │  │
│  └──────────┼─────────────┼──────────────────────────┘  │
│             │             │                              │
│      Unix Socket    Unix Socket                          │
│             │             │                              │
│         HTTP Proxy    SOCKS Proxy                        │
└─────────────────────────────────────────────────────────┘

Conclusion

This container environment represents a thoughtfully designed sandbox for AI-assisted computing. It balances functionality (full development toolchain, file manipulation, network access) with security (strict isolation, capability dropping, traffic monitoring). The ephemeral nature of the session filesystem combined with persistent workspace folders provides both safety and utility for end users.

The environment is specifically optimized for the Claude Code agent, providing the tools necessary for code execution, file creation, and web access while maintaining strong isolation boundaries to protect both the user's system and the broader infrastructure.