Sandbox broken on Linux kernel 6.17: apply-seccomp: write /proc/self/setgroups (nested userns is capability-restricted)

Resolved 💬 3 comments Opened May 5, 2026 by egno Closed May 9, 2026

Bug Report

Environment

  • Claude Code version: 2.1.128
  • OS: Ubuntu (Linux)
  • Kernel: 6.17.0-23-generic
  • bubblewrap: 0.11.0 (/usr/bin/bwrap)
  • socat: installed

Configuration (settings.local.json)

{
  "sandbox": {
    "enabled": true,
    "autoAllowBashIfSandboxed": true
  }
}

Also tried with "enableWeakerNestedSandbox": true — no effect.

What happens

Every sandboxed Bash command fails with:

apply-seccomp: write /proc/self/setgroups (nested userns is capability-restricted; caller must provide CAP_SYS_ADMIN): Permission denied

What was verified

  • System bwrap --unshare-all --new-session echo ok works fine
  • socat is installed
  • kernel.apparmor_restrict_unprivileged_userns = 0 (disabled)
  • kernel.unprivileged_userns_clone = 1
  • user.max_user_namespaces = 63565
  • Claude Code process is unconfined (AppArmor): cat /proc/self/attr/currentunconfined
  • No seccomp filter on Claude Code process: Seccomp: 0, Seccomp_filters: 0
  • Claude Code embeds its own bubblewrap implementation (error string found in binary) — not calling system bwrap

Root cause hypothesis

Claude Code's embedded bubblewrap is incompatible with kernel 6.17. The system bwrap 0.11.0 works, but the embedded version fails. Likely a kernel 6.17 change in how write /proc/self/setgroups is handled during user namespace setup.

enableWeakerNestedSandbox: true does not resolve the issue.

Workaround

Disable sandbox: "sandbox": { "enabled": false }

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗