[BUG] apply-seccomp fails on Linux - cannot write /proc/self/setgroups
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
All Bash commands fail in Claude Code 2.1.92 on Ubuntu 25.10 with:
apply-seccomp: write /proc/self/setgroups (nested userns is capability-restricted; caller must provide CAP_SYS_ADMIN): Permission denied
The new apply-seccomp binary (shipped in 2.1.92 per changelog: "Linux sandbox now ships the apply-seccomp helper") writes to /proc/self/setgroups before mapping UID. Tested on kernel 6.17.0-14 and 6.17.0-20, both fail.
What Should Happen?
Bash commands should execute successfully inside the sandbox. The apply-seccomp helper should work on Linux kernel (Ubuntu 25.10). Version 2.1.91 worked fine - no sandbox errors.
Error Messages/Logs
apply-seccomp: write /proc/self/setgroups (nested userns is capability-restricted; caller must provide CAP_SYS_ADMIN): Permission denied
Steps to Reproduce
# This pattern is what apply-seccomp does internally
unshare -U bash -c "echo deny > /proc/self/setgroups"
# → Permission denied
# With UID mapping first - works:
unshare -Ur echo test
# → test
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
2.1.91
Claude Code Version
2.1.92
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
Downgrading fixes the issue
ln -sf /home/crazyfrogspb/.local/share/claude/versions/2.1.91 /home/crazyfrogspb/.local/bin/claude
Showing cached comments. Read the full discussion on GitHub ↗
21 Comments
I'm having the same issue.
To get functional again, I needed to reinstall an older version: $ claude install 2.1.91
Does Anthropic even test the sandbox?
The issue is that the built-in
apply-seccompfile lacks execution permissions.node_modules/@anthropic-ai/claude-code/vendor/seccomp/{your-arch}/apply-seccompFor example, on macOS homebrew:
sudo chmod +x /opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/vendor/seccomp/*/apply-seccompFor Linux:
sudo chmod +x /usr/local/lib/node_modules/@anthropic-ai/claude-code/vendor/seccomp/*/apply-seccomp(or under
/usr/bin/...)Previously,
ripgrepmade this exact same mistake, yet here we are seeing the same error repeated.With the NPM install, it appears to be true that apply-seccomp isn't set to executable, that isn't the cause of the CAP_SYS_ADMIN error we're focused on here. Also the native install method (rather than npm) doesn't appear to have the permission issue. The apply-seccomp call is executing, but hitting an error.
I'm guessing this is because Ubuntu has extra restrictions on unprivileged user namespaces: https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#p-99950-unprivileged-user-namespace-restrictions-15
However, the command in that thread to disable that restriction (
echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns) did _not_ work for me: I get the same error after running it.Disabling AppArmor entirely via kernel cmdline did get the sandbox to start, but that severely reduces Ubuntu's security, so I don't want to do that.
(Also, I believe the change that introduced the nested user namespaces in the sandbox was https://github.com/anthropic-experimental/sandbox-runtime/commit/7ee4ac602d18d7261c6d4db77014b2bc2617cb60)
Anthropic has now released a broken version to the "stable" channel, so I had to turn off auto-update to keep the last working version 2.1.91. I worked with claude extensively to try and find a workaround that didn't involve disabling apparmor or disabling the claude sandbox, and ultimately failed to find anything that worked.
Can you confirm it works for you if you uninstall
socat? See #49018The only real workaround that I found:
1) Install via npm: npm install -g @anthropic-ai/claude-code@latest
2) Fix executable bit: chmod +x <npm-prefix>/lib/node_modules/@anthropic-ai/claude-code/vendor/seccomp/x64/apply-seccomp
3) Comment out capability deny in /etc/apparmor.d/bwrap-userns-restrict:
# audit deny capability,4) Reload: sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict
5) Rename binary: mv ~/.local/bin/claude ~/.local/bin/claude-native-backup
Warning - this allows capabilities for all bwrap-sandboxed processes (Flatpak, etc.) within their user namespace
Still waiting for the real fix
The issue only seems to go away if I uninstall socat, which is equivalent to disabling the sandbox because it's a missing dependency. The /doctor command indicates sandbox disabled.
Confirmed on Ubuntu 24.04 LTS, kernel 6.17.0-20-generic (npm install)
Why 2.1.91 "works" on my system: socat is not installed. Without socat, 2.1.91 skips the sandbox entirely — Bash runs unsandboxed (Seccomp: 0, no user namespace). This is not a fix, just the sandbox being absent.
Why 2.1.92+ breaks even without socat: The new
apply-seccomphelper is called regardless of socat availability. It attempts to write/proc/self/setgroupsinside a user namespace, which fails withCAP_SYS_ADMINdenied becauseapparmor_restrict_unprivileged_userns=1(Ubuntu 24.04 default).So the regression is: 2.1.91 had a dependency (socat) that gracefully degraded to no sandbox. 2.1.92+ ships its own binary that fails fatally with no fallback on AppArmor-restricted systems.
Staying on 2.1.91 (unsandboxed) with auto-update disabled until this is fixed.
I seem to be hitting the same issue on 2.1.116. I set
allowAllUnixSockets: truefor now, which has solved it.Please make Claude with sandbox usable again. Still stuck to 2.1.87 because of this and #43713.
ChatGPT gave me this working workaround for Claude 2.1.121 on Ubuntu 25.10, I think it weakens sandbox a bit but not sure exactly by how much:
~/.claude/settings.json
Also getting hit by this one with: Claude Code 2.1.126, Ubuntu 25.10, kernel 6.17.0-22-generic
Check if you have other apparmor profiles interfering with the bwrap profile.
For example,
unpriv_bwrapis a profile declared by Lutris:Its
audit deny capabilitycannot be overridden bylocal/unpriv_bwrap(apparmordenyrules always take precedence overallowrules), but at least you can monkeypatch the file (and file an issue against lutris):The upstream version is available as
/usr/share/apparmor/extra-profiles/bwrap-userns-restrict.Not sure if that's desirable, though. https://gitlab.com/apparmor/apparmor/-/work_items/382 applies.
It helps me on Ubuntu 26.04, but my profile is called
/etc/apparmor.d/bwrap-userns-restrictHey @egorkel-altexsoft, something seems to have gone wrong with your message.
Could you please check the formatting of your comment?
You can edit it from the "..." menu, and fix the message.
Currently, it is unintelligible.
This worked for me, and threaded the needle of turning off protections globally to get sandboxing to work, which of course wouldnt make sense.
Thanks!
Still reproduces on Ubuntu 26.04 / kernel 7.0.0-15-generic / native install 2.1.185
(~90 releases and 4 months after this was filed, on a newer kernel than #56345's 6.17).
Error (identical to #56345):
apply-seccomp: write /proc/self/setgroups (nested userns is capability-restricted;
caller must provide CAP_SYS_ADMIN): Permission denied
Key data point:
kernel.apparmor_restrict_unprivileged_userns=0does NOT fix it.Verified
=0via /proc, sandbox still fails identically. So the userns create-gatesysctl isn't the lever — the capability denial comes from the
unpriv_bwrapchildprofile in
/etc/apparmor.d/bwrap-userns-restrict(audit deny capability,), whichstrips caps from bwrap's sandboxed children, including the bundled
apply-seccomphelper. Matches the
profile="unpriv_bwrap" comm="apply-seccomp" capname="sys_admin"audit line reported earlier in this thread.
The OS is otherwise healthy — every primitive the sandbox needs works outside the
bundled helper:
unshare -U true # OK
unshare -rU true # OK (map-root)
unshare -rUm true # OK (+mount ns)
unshare -rU bash -c 'unshare -rU true' # OK (double-nested userns)
unshare -rUn sh -c 'ip link set lo up' # OK (netns + loopback up)
bwrap --unshare-user --unshare-net --ro-bind / / true # OK
bwrap --unshare-user --unshare-pid --proc /proc --dev /dev --ro-bind / / true # OK
So this is distinct from #55585/#14719 (the
bwrap: loopback: Failed RTM_NEWADDRnetns class) — loopback-in-userns works here.
/usr/bin/bwrapsucceeds because it hasthe permissive
profile bwrapattachment; only the vendoredapply-seccomphelper,running as a cap-stripped bwrap child, fails.
For other Linux users landing here: the macOS
allowAllUnixSocketsworkaround does notexist on Linux (#44180), so it's not a fix. What restores function is disabling the
sandbox (
sandbox.enabled: false) or relaxingunpriv_bwrapsystem-wide (broad — itre-grants capabilities to every bwrap sandbox, e.g. Flatpak).
Impact: this has forced us to set
sandbox.enabled: falseacross our multi-userUbuntu 26.04 dev fleet — i.e. an OS-level security feature turned off in production
because of this regression, with no per-setting workaround on Linux. A fix (or a
documented, narrowly-scoped Linux escape hatch) would be much appreciated.
Environment:
bwrap-userns-restrictprofile loadedHave you reported the issue to Ubuntu? This is a bug in their apparmor policy, not the sandbox runtime.