Cowork agent runs as native process without VM sandboxing on Linux (Asahi/Fedora)

Resolved 💬 2 comments Opened Feb 21, 2026 by biosed Closed Feb 22, 2026

Environment:

  • Asahi Linux, Fedora 43, aarch64 (Apple Silicon)
  • Claude Desktop for Linux (deb package)
  • claude-code-vm version 2.1.49

Description:
The Cowork documentation states the agent runs in a "lightweight Linux VM" for sandboxed execution. On native Linux (Asahi Fedora 43 on M-series Mac), systemd-detect-virt returns none and /proc/1/cgroup shows 0::/init.scope. The agent process spawns as a direct child of the Claude Desktop Electron app with the user's full permissions.

This means all commands (including destructive operations like rm -rf) execute directly on the host filesystem with no isolation boundary. The agent itself reports to users that it's running in a sandboxed VM, which is inaccurate in this configuration.

Expected behavior: Agent runs in an actual sandboxed VM with limited filesystem access, or documentation/agent messaging accurately reflects the lack of sandboxing on native Linux.

Actual behavior: Agent runs natively as PID under the user's account with full user-level permissions. Path ~/.config/Claude/claude-code-vm/ suggests VM intent but no virtualization is present.

Impact: Security model mismatch — users may assume sandbox protections exist when they don't.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗