Cowork agent runs as native process without VM sandboxing on Linux (Asahi/Fedora)
Environment:
- Asahi Linux, Fedora 43, aarch64 (Apple Silicon)
- Claude Desktop for Linux (deb package)
- claude-code-vm version 2.1.49
Description:
The Cowork documentation states the agent runs in a "lightweight Linux VM" for sandboxed execution. On native Linux (Asahi Fedora 43 on M-series Mac), systemd-detect-virt returns none and /proc/1/cgroup shows 0::/init.scope. The agent process spawns as a direct child of the Claude Desktop Electron app with the user's full permissions.
This means all commands (including destructive operations like rm -rf) execute directly on the host filesystem with no isolation boundary. The agent itself reports to users that it's running in a sandboxed VM, which is inaccurate in this configuration.
Expected behavior: Agent runs in an actual sandboxed VM with limited filesystem access, or documentation/agent messaging accurately reflects the lack of sandboxing on native Linux.
Actual behavior: Agent runs natively as PID under the user's account with full user-level permissions. Path ~/.config/Claude/claude-code-vm/ suggests VM intent but no virtualization is present.
Impact: Security model mismatch — users may assume sandbox protections exist when they don't.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗