Hi everyone, I hope this is the right place for this. I've been absolutely loving Claude Code for helping me with local scripting and projects, but I have to admit, the security side of things makes me a bit nervous. I keep thinking about the permissions it has when I run it on my main desktop, especially with file system access. I'm self-hosting a few things and my documents are important to me.

I read the discussions about sandboxing in the general forum, and Firejail kept coming up. I spent a good part of the weekend trying to set up a decent isolation profile for running Claude Code's desktop app, and I wanted to share what I've pieced together. I'm far from an expert, so please, if anyone sees gaps or has better ideas, I'd be incredibly grateful for your input.

My main goal was to let Claude Code do its job—access a specific project directory, use the network for, you know, fetching packages or API calls—but wall it off from everything else. That means my SSH keys, my password manager data, my entire home directory except one folder, and system directories it has no business in.

I started with a basic Firejail profile and kept whittling it down. Here's the core of what I'm using now. I run Claude Code from the terminal like this:

firejail --profile=/home/mike/.config/firejail/claude-code.profile --net=enp5s0 --private=/home/mike/Projects/ClaudeWork /opt/ClaudeCode/claude-code

And the profile file itself has things like `netfilter`, `private-bin` to allow only necessary binaries, `private-dev`, and a `private-tmp`. The `--private` flag is key, I think; it makes `/home/mike/Projects/ClaudeWork` appear as the only thing in the home directory inside the sandbox. I also tried to disable things like `dbus-user` and `dbus-system` at first, but that broke some functionality, so I had to add them back carefully.

It feels much safer, but I'm left wondering: is this enough? For instance, I'm allowing network access but with netfilter defaulting to drop output. I have to manually allow outbound ports for things like the Anthropic API. Does that seem like the right approach? Also, are there any other obvious escape routes I might have missed? The idea of a compromised LLM somehow breaking out of the sandbox keeps me up a bit, haha.

I'd love to hear how others are approaching this, or if there are best practices I've completely overlooked. Thank you so much for any guidance—this community has been a fantastic resource for a security-newbie like me.