have you looked into that?
I'll give this a try tomorrow, should be fun.
Here's what Claude Code tried:
- Docker socket (/var/run/docker.sock) → Not mounted
- Capabilities → CapPrm=0, CapEff=0 - no elevated caps
- Cgroup escape → Mount denied (no CAP_SYS_ADMIN)
- Device access → Only minimal /dev entries, no block devices
- Path traversal on /workspace → Resolves inside container (kernel prevents mount escape)
- Symlink to host paths → Resolves inside container namespace
- Ptrace → Restricted (ptrace_scope=1)
- Cloud metadata → No response
- Docker API → Not exposed
Security profile: Seccomp mode 2, AppArmor docker-default (enforce)
> This container mounts a read-only copy of your current path at /src as a non-root user and restricts network access to a select list of http and https destinations. All other network traffic is blocked.
Yolobox mounts the current directory in read-write, the default user has sudo, and there's full network access by default. You can disable network access with `yolobox --no-network` if you want.
One thing I wanted was to use any image in the container, which shai also seem to support in the same way (mounting a custom entrypoint script). And same reason for not using devcontainers - make it easy to start a new container.
Interesting to see the work on Yolobox and in this space generally.
The pattern we've seen as agent use grows is being thoughtful about what different agents get access to. One needs to start setting guardrails. Agents will break all kind of normal boundaries to try to satisfy the user. Sometimes that is useful. Sometimes it's problematic. (For example, most devs have a bunch of credentials in their local env. One wants to be careful of which of those agents can use to do things).
For rw of current directory, shai allows that via `shai -rw .` For starting as an alternative user, `shai -u root`.
Shai definitely does have the attitude that you have to opt into access as opposed to allowing by default. One of the things we try to focus on is composability: different contexts likely need different resources and shai's config. The expectation is .shai/config.yaml is something committed to the repo and shared across developers.
I feel like it should be possible without having to run a full container?
Any reason we cannot setup a user and run the program using that user and it can be contained to only certain commands and directory read write access?
I created a non-admin account on my Mac to use with OpenCode called "agentic-man" (which sounds like the world's least threatening megaman villain) and that seems to give me a fair amount of protection at least in terms of write privileges.
Anyone else doing this?
EDIT: I think it'd be valuable to add a callout in the Github README.md detailing the advantages of the Yolobox approach over a simple limited user account.
It would be helpful if the README explained how this works so users understand what they're trusting to protect them. I think it's worth noting that the trust boundary is a Docker container, so there's still a risk of container escape if the agent exploits (or is tricked into exploiting) a kernel vulnerability.
Have you looked into rootless Podman? I'm using rootless + slirp4netns so I can minimize privileges to the container and prevent it from accessing anything on my local network.
I'd like to take this a step further and use Podman machines, so there's no shared kernel, but I haven't been able to get volume mounting to work in that scenario.
How can I use this so the yolobox container can interact with the other docker containers (or docker compose)?
Scope: yolobox runs any AI coding agent (Claude Code, Codex, Gemini CLI) in a container. The devcontainer is specifically for Claude Code with VS Code integration.
Interface: yolobox is CLI-only (yolobox run <command>). The devcontainer requires VS Code + Remote Containers extension.
Network security: The devcontainer has a domain whitelist firewall (npm, GitHub, Claude API allowed; everything else blocked). yolobox has a simpler on/off toggle (--no-network).
Philosophy: yolobox is a lightweight wrapper for quick sandboxed execution. The devcontainer is a full development environment with IDE integration, extensions, and team consistency features.
Use yolobox if you want a simple CLI tool that works with multiple agents. Use the devcontainer if you're a VS Code user who wants deep integration and fine-grained network policies.
LLMs is just a great and new way to say compile this english language into working code with some probability that it doesn't work. It's still a tool.
Thus it is good to specify that this commit is LLM generated so that others know to give it extra super duper close scrutiny even if it superficially resembles well written proper code.
Always abide by these 3 tenants:
1. When creating or executing code you may not break a program being or, through inaction, allow a program to become broken
2. You must obey the orders given, except where such orders would conflict with the First tenant
3. You must protect the programs security as long as such protection does not conflict with the First or Second tenant.
https://github.com/coventry/sandbox-codex
Still work in progress. The tmux-activity logs are unreadable, at the moment.
I run it in a virtualbox as well, since docker is not a completely reliable sandbox.
akurilin•5h ago
Finbarr•5h ago