arapuca - Man Page

arapuca run [flags] -- command [args...]

arapuca -h | --help

arapuca -V | --version

arapuca run launches command in a process-level sandbox with user-friendly CLI flags. Uses the library’s platform abstraction for cross-platform support (Landlock + seccomp on Linux, Seatbelt on macOS, AppContainer on Windows).

The internal wrapper path (arapuca -- command) applies sandbox restrictions to the current process, then replaces itself with command via execve(2). Configured via environment variables. Used internally by the library as a subprocess wrapper — direct CLI invocations require ARAPUCA_WRAPPER=1 to be set by the library. Unrecognized subcommands or flags are rejected.

On Linux, arapuca enforces Landlock filesystem restrictions, seccomp BPF syscall filtering, POSIX resource limits, and sets PR_SET_PDEATHSIG so the subprocess is killed if the parent dies.

On macOS, arapuca enforces POSIX resource limits only (filesystem and network restrictions are applied by the caller via sandbox-exec(1)).

The sandbox is fail-closed: if any restriction fails to apply, arapuca exits non-zero and the target command never runs.

All ARAPUCA_* environment variables are stripped before exec so the sandboxed process cannot inspect its own configuration. Non-ARAPUCA variables (e.g., AGENT_NETWORK_PROXY) are preserved.

-v path[:ro]

Allow access to path. Read-write by default; append :ro for read-only. Repeatable. Paths must be absolute. Default system paths (/usr, /lib, /bin, /etc/ssl, /tmp, device nodes) are readable. Only the private per-task temp dir is writable by default. /proc, /sys, and blanket /dev are NOT included by default. Use -v /tmp to grant write access to all of /tmp.

--env KEY=VALUE

Pass an environment variable to the sandboxed process. Dangerous variables (LD_PRELOAD, ARAPUCA_*, DYLD_*, interpreter injection vectors) are rejected. Sandbox-managed variables (HOME, TMPDIR, PATH, LANG) cannot be overridden. Repeatable.

--timeout N

Kill the process after N seconds. Sends SIGTERM first, then SIGKILL after a 5-second grace period. N must be greater than 0.

--memory N

Memory limit in megabytes. Enforced via cgroups v2 on Linux, RSS polling on macOS, Job Objects on Windows.

--cpus N

CPU limit as a percentage of a single core. 200 means 2 cores.

--pids N

Maximum number of PIDs (cgroups v2 on Linux, Job Objects on Windows).

--task-id NAME

Identifier for cgroup directory and audit events. Must match [a-zA-Z0-9-]+, max 128 characters. Defaults to run-pid.

--seccomp mode

Seccomp BPF filter profile. strict (default) blocks AF_INET, symlink, memfd_create, io_uring, and other syscalls — designed for untrusted code. baseline blocks only sandbox-escape syscalls (ptrace, mount, namespace ops, kernel modules, bpf) and adds /proc + /sys read access — designed for trusted-but-isolated applications like Claude Code that need full runtime capabilities while being confined by Landlock + netns.

--allow-host host:port

Allow HTTPS traffic to host:port via a CONNECT proxy tunnel. Repeatable. Supports exact match (api.example.com:443) and wildcard suffix match (*.googleapis.com:443 — matches the domain itself and any subdomain). When specified, the sandboxed process runs in a network namespace with no direct network access. A CONNECT proxy on the host network tunnels traffic only to listed hosts. DNS resolution happens in the proxy with IP validation (loopback, RFC 1918, CGNAT, link-local, and cloud metadata addresses are rejected to prevent DNS rebinding SSRF). Linux only.

-t,  --tty

Allocate a pseudo-terminal (PTY) for the sandboxed process. Enables interactive programs (shells, editors, TUI applications) that require a terminal. Requires stdin and stdout to be a terminal. The TERM environment variable is forwarded from the host (sanitized).

ARAPUCA_WRAPPER

Internal sentinel. Must be set to 1 by the library when invoking the wrapper path. Direct invocations without this variable are rejected. Stripped before exec.

The following variables configure the internal wrapper path. They are not used by arapuca run (which uses CLI flags instead).

ARAPUCA_READ_PATHS

Colon-separated list of paths the subprocess may read. Each path and everything below it is readable.

ARAPUCA_READ_PATHS=/usr:/lib:/lib64:/bin:/etc:/dev

ARAPUCA_WRITE_PATHS

Colon-separated list of paths the subprocess may read and write.

ARAPUCA_WRITE_PATHS=/tmp/workspace

ARAPUCA_RLIMIT_AS

Maximum virtual memory size in bytes. Enforced via setrlimit(2) (RLIMIT_AS). Set to 0 or omit to leave unlimited.

On Apple Silicon, RLIMIT_AS should not be set – macOS aggressively maps virtual memory and setting this limit causes immediate SIGKILL.

ARAPUCA_RLIMIT_NPROC

Maximum number of processes for the user. Enforced via setrlimit(2) (RLIMIT_NPROC). Set to 0 or omit to leave unlimited.

ARAPUCA_RLIMIT_CPU

Maximum CPU time in seconds. Enforced via setrlimit(2) (RLIMIT_CPU). The kernel sends SIGXCPU when the soft limit is reached and SIGKILL at the hard limit. Set to 0 or omit to leave unlimited.

ARAPUCA_RLIMIT_FSIZE

Maximum file size in bytes. Enforced via setrlimit(2) (RLIMIT_FSIZE). Writes that would exceed the limit receive SIGXFSZ. Set to 0 or omit to leave unlimited.

0

The target command exited successfully.

1

Usage error (unrecognized subcommand or flag, missing ARAPUCA_WRAPPER sentinel, no -- separator, command not found, or sandbox setup failed). A diagnostic is printed to stderr.

>1

The target command exited with a non-zero status. The exit code is passed through.

125

Sandbox infrastructure error (arapuca run only). Invalid flags, sandbox setup failure, or CONNECT proxy failure.

137

The target command was killed by SIGKILL (e.g., parent died and PR_SET_PDEATHSIG fired, cgroup OOM kill, or timeout SIGKILL).

143

The target command was killed by SIGTERM (e.g., timeout fired).

landlock(7), seccomp(2), setrlimit(2), sandbox-exec(1), prctl(2), execve(2), unshare(1)

Sergio Correia <scorreia@redhat.com>