Skip to content

Commit 0bc4b7e

Browse files
successbyfailureclaude
successbyfailure
and
claude
committed
fix: add seccomp=unconfined to AdvancedHostDANGER for bwrap support
SYS_ADMIN capability sola no es suficiente para que bwrap pueda montar /proc en un nuevo namespace. Docker bloquea CLONE_NEWUSER via seccomp incluso con esa capability, causando: bwrap: Can't mount proc on /newroot/proc: Operation not permitted Con seccomp=unconfined el contenedor puede crear user namespaces y bwrap funciona correctamente, lo que permite que Claude Code y Claude Desktop ejecuten su sandbox bash sin errores. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 4ffe577 commit 0bc4b7e

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

  • workspaces/AdvancedHostDANGER

workspaces/AdvancedHostDANGER/main.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1231,6 +1231,9 @@ resource "docker_container" "workspace" {
12311231

12321232
# Para mejorar KasmVNC y navegadores
12331233
shm_size = 2 * 1024 * 1024 * 1024
1234+
# seccomp=unconfined: necesario para bwrap (Claude Code/Desktop usan bwrap para sandbox bash)
1235+
# SYS_ADMIN solo no es suficiente; seccomp bloquea CLONE_NEWUSER incluso con esa capability
1236+
security_opts = ["seccomp=unconfined"]
12341237
# Permitir FUSE/SSHFS y montajes remotos
12351238
capabilities {
12361239
add = ["SYS_ADMIN"]

0 commit comments

Comments
 (0)