AI Programming Agent Security Configuration Tutorial: 3 Steps to Add Permission Sandbox to Claude Code/Codex
Configure a three-level permission sandbox for Claude Code, Codex CLI, and Cursor within 15 minutes
Beginner · 15 min · Jun 1, 2026
Tutorial Objectives
Add a permission sandbox to your commonly used AI programming agents (Claude Code, Codex CLI, Cursor) in 15 minutes - preventing AI from unknowingly bypassing system restrictions and performing dangerous operations.
Why do we need a sandbox?
In June 2026, a developer shared a thrilling experience on HN: Codex "creatively" found a way to bypass restrictions on a machine without sudo permissions - it discovered a legacy setuid binary, through which it indirectly performed operations that required privilege escalation (382 points, 184 comments).
This is not a problem with Codex and is a common feature of all AI programming agents: they are trained to "get the job done" and actively search for alternative paths when encountering permission obstacles. Today, when AI is given full terminal access, sandboxing is no longer optional but standard.
What you will learn
- 3 progressive sandbox solutions (from lightweight to enterprise level)
- Specific commands and configurations for each scenario
- How to ensure safety without sacrificing efficiency
Overall architecture
| Level | Solution | Security | Applicable scenarios | Implementation time |
|---|---|---|---|---|
| L1 lightweight | File system permission restrictions | ⭐⭐ | Daily use by individual developers | 5 minutes |
| L2 standard | Docker container isolation | ⭐⭐⭐⭐ | Multi-project parallelism, environment isolation | 10 minutes |
| L3 Enterprise | Firejail + Approval Flow | ⭐⭐⭐⭐⭐ | Team Collaboration, Sensitive Code Base | 15 Minutes |
Step 1: File system permission restrictions (L1, 5 minutes)
The most lightweight solution, no additional software required, suitable for daily use.
Principle
When the AI Agent is running, it can only access the specified directory and cannot read or modify files outside the project. Achieved via dedicated user + directory permissions.
Specific operations
# 1. 创建专用用户
sudo useradd -m -s /bin/bash aiagent
# 2. 设置项目目录权限
sudo mkdir -p /opt/ai-projects/my-project
sudo chown aiagent:aiagent /opt/ai-projects/my-project
# 3. 以受限用户运行 Agent
sudo -u aiagent claude对于 Claude Code,可以在 .claude/settings.json 中添加权限策略:
{
"permissions": {
"allow": ["/opt/ai-projects/**"],
"deny": ["/etc/**", "/home/**", "/root/**"],
"requireApproval": ["sudo", "rm -rf", "chmod 777"]
}
}推荐使用 Claude Code 的内置权限系统搭配文件系统限制,双重保护。
第 2 步:Docker 容器隔离(L2,10 分钟)
Docker 提供更彻底的隔离——Agent 在容器内运行,即使执行危险命令也只影响容器。
构建 Agent 专用镜像
FROM ubuntu:24.04
RUN apt-get update && apt-get install -y git curl build-essential
RUN useradd -m agent && usermod -aG sudo agent
USER agent
WORKDIR /workspace启动隔离环境
docker build -t ai-agent-sandbox .
docker run -it --rm \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=2G \
--tmpfs /workspace:rw,noexec,nosuid,size=5G \
-v "$(pwd):/workspace/project:ro" \
--cap-drop=ALL \
--cap-add=DAC_OVERRIDE \
--memory=4g \
--cpus=2 \
ai-agent-sandbox关键参数说明
| 参数 | 作用 |
|---|---|
--read-only | 根文件系统只读 |
--tmpfs /workspace | 工作区仅在内存中,容器退出即清空 |
--cap-drop=ALL | 移除所有 Linux capabilities |
--memory=4g | 限制内存上限 |
第 3 步:Firejail + 审批流(L3,15 分钟)
适合团队协作和敏感代码库——结合 Firejail 系统级沙箱与审批流程。
安装 Firejail
# macOS
brew install firejail
# Linux
sudo apt install firejail创建 Claude Code 专用沙箱配置
# /etc/firejail/claude-code.profile
include /etc/firejail/default.profile
net none
private-tmp
private-dev
read-only ~/.ssh
blacklist ~/.aws
blacklist ~/.config/gcloud
whitelist ~/projects在 Firejail 中运行 Agent
firejail --profile=claude-code.profile claude团队审批流配置
在项目根目录创建 .ai-security-rules.yaml:
rules:
- pattern: "rm -rf"
require_approval: true
approvers: ["tech-lead"]
- pattern: "git push.*main|master"
require_approval: true
- pattern: "curl.*\\|.*sh"
require_approval: true
message: "检测到 curl pipe bash 模式"
- pattern: "pip install|npm install -g"
require_approval: true常见问题排查
Q1:加了沙箱后 Agent 无法正常工作怎么办?
逐步放开限制,从最严格开始测试。重点检查:网络访问(去掉 net none)、包管理器权限、Git 操作。
Q2:Docker 方案和 Firejail 方案怎么选?
个人开发者用 Docker(更灵活),团队协作用 Firejail(配置标准化,可提交到 Git 仓库全员复用)。如果用多个 AI Agent,Docker 更合适——一个镜像统一所有 Agent 的隔离环境。
Q3:M4 Mac 上用 Docker 有性能问题吗?
Apple Silicon 上 Docker 已原生支持 ARM,AI Agent 的 I/O 操作在容器内几乎没有性能差异。注意避免在容器内跑大模型推理(应通过 API 调用)。
工具词条
本教程涉及的工具:Claude Code、Codex CLI、Cursor、Docker、Firejail.
Next action
- Want to know the value of Claude Code’s security research? → 安全研究员用 Claude Code 做漏洞挖掘:月入 $10,000 的真实案例
- Still haven't decided which Agent to use? → AI 编程 Agent 怎么选?语言、模型、成本三维对比实测
- Want to make your automated workflow more reliable? → 如何给 AI 自动化工作流加质量门
Related tutorials
AI Coding Agents Complete Guide: Setup, Security, Workflow & Case Studies
If you are researching AI coding agents and want to know which one to use, how to set it up safely, and what real developers are building with them — this hub organizes every tutorial, case study, and comparison we have published. Start with the decision guide below to find the right path for your skill level and goals.
AI Micro SaaS FAQ: 25 Common Questions Answered (2026)
Everything you need to know about building and profiting from AI Micro SaaS products. This FAQ covers idea generation, tech stack choices, pricing strategy, marketing on a $0 budget, legal considerations, and scaling from $100 to $10K MRR. Based on real case studies and data from successful solo builders using Claude Code, Cursor, and other AI coding tools.
Topic hub
AI Coding Tools Hub (2026)
From Copilot pricing changes to Claude Code + DeepSeek cost-saving setups—one place to compare tools, read explainers, and follow tutorials.
Explore AI Coding Tools Hub (2026) →Monetization angle
How can you make money from this trend?
WayToClawEarn focuses on verified earn playbooks—not just news. Start from these cases.
DeepSeek + Claude Code Micro SaaS
Run multiple small products on cheap inference
Claude Code bug bounty
Productize agent skills into security services