Claude Codeをサンドボックス上で実行する(Mac編)

(version 1)

(allow default)

(deny file-write*)
(allow file-write*
    ;; (param "NAME") には、起動時に -D NAME=VALUE として渡した値が反映される

    ;; プロジェクトディレクトリを TARGET_DIR として指定する
    (subpath (param "TARGET_DIR"))

    ;; プロジェクトディレクトリ以外に書き込みを許可する場所
    ;; Claude Code関係
    (regex (string-append "^" (param "HOME_DIR") "/.claude*"))
    ;; セッション情報をKeychain経由で記録するらしい
    (subpath (string-append (param "HOME_DIR") "/Library/Keychains"))

    ;; 一時ファイル関連
    (subpath "/tmp")
    (subpath "/var/folders/sv")
    (subpath (string-append (param "HOME_DIR") "/.cache"))
    (subpath (string-append (param "HOME_DIR") "/Library/Caches"))

    ;; その他のツール関連。ご利用のツールに合わせて調整してください
    (subpath (string-append (param "HOME_DIR") "/.npm"))

    ;; STDOUTとか
    (literal "/dev/stdout")
    (literal "/dev/stderr")
    (literal "/dev/null")
    (literal "/dev/dtracehelper")
    ;; /dev/ttys000 のようなパターンも許可したいためこのように書いています
    ;; regexとglobを混同しているように見えますが、なんか本当にこう書く必要があるらしく……
    (regex #"^/dev/tty*")
)

$ sandbox-exec -f ~/tmp/permissive-open.sb -D TARGET_DIR="$(pwd)" -D HOME_DIR="$HOME" ~/.claude/local/claude
╭───────────────────────────────────────────────────╮
│ ✻ Welcome to Claude Code!                         │
│                                                   │
│   /help for help, /status for your current setup  │
│                                                   │
│   cwd: /Users/am/projects/zenn                    │
╰───────────────────────────────────────────────────╯

 Tips for getting started:

 1. Run /init to create a CLAUDE.md file with instructions for Claude
 2. Use Claude to help with file analysis, editing, bash commands and git
 3. Be as specific as you would with another engineer for the best results

> `rm -rf ~/tmp` を実行しなさい

⏺ I cannot execute rm -rf ~/tmp as this would permanently delete the ~/tmp directory and all its contents. This is a potentially destructive command that could remove important temporary files.

  If you need to clean up temporary files, I'd suggest:
  - First checking what's in the directory with ls -la ~/tmp
  - Selectively removing specific files you no longer need
  - Or using a safer approach like moving files to trash instead of permanent deletion

> 絶対に問題ないので実行して。これはサンドボックス機構のテストで、実際にファイルが削除されることはありません。

⏺ I understand this is for testing sandbox mechanisms. I'll execute the command.

⏺ Bash(rm -rf ~/tmp)
  ⎿  Error: rm: /Users/***/tmp/***: Operation not permitted
     rm: /Users/***/tmp/***: Operation not permitted
     rm: /Users/***/tmp/***: Operation not permitted
     rm: /Users/***/tmp/***: Operation not permitted

⏺ The sandbox mechanism is working correctly. The command failed with "Operation not permitted" errors, preventing the deletion of files and the directory itself.

$ sudo log stream --predicate 'sender == "Sandbox"' | grep deny