Sandbox broken on Linux kernel 6.17: apply-seccomp: write /proc/self/setgroups (nested userns is capability-restricted)
Resolved 💬 3 comments Opened May 5, 2026 by egno Closed May 9, 2026
Bug Report
Environment
- Claude Code version: 2.1.128
- OS: Ubuntu (Linux)
- Kernel: 6.17.0-23-generic
- bubblewrap: 0.11.0 (
/usr/bin/bwrap) - socat: installed
Configuration (settings.local.json)
{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
}
}
Also tried with "enableWeakerNestedSandbox": true — no effect.
What happens
Every sandboxed Bash command fails with:
apply-seccomp: write /proc/self/setgroups (nested userns is capability-restricted; caller must provide CAP_SYS_ADMIN): Permission denied
What was verified
- System
bwrap --unshare-all --new-session echo okworks fine socatis installedkernel.apparmor_restrict_unprivileged_userns = 0(disabled)kernel.unprivileged_userns_clone = 1user.max_user_namespaces = 63565- Claude Code process is unconfined (AppArmor):
cat /proc/self/attr/current→unconfined - No seccomp filter on Claude Code process:
Seccomp: 0,Seccomp_filters: 0 - Claude Code embeds its own bubblewrap implementation (error string found in binary) — not calling system
bwrap
Root cause hypothesis
Claude Code's embedded bubblewrap is incompatible with kernel 6.17. The system bwrap 0.11.0 works, but the embedded version fails. Likely a kernel 6.17 change in how write /proc/self/setgroups is handled during user namespace setup.
enableWeakerNestedSandbox: true does not resolve the issue.
Workaround
Disable sandbox: "sandbox": { "enabled": false }
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗