Skip to content

feat: add Landlock sandbox and capability dropping for Linux#86

Merged
domcyrus merged 5 commits into
mainfrom
feat/landlock-sandbox
Dec 6, 2025
Merged

feat: add Landlock sandbox and capability dropping for Linux#86
domcyrus merged 5 commits into
mainfrom
feat/landlock-sandbox

Conversation

@domcyrus

@domcyrus domcyrus commented Dec 6, 2025

Copy link
Copy Markdown
Owner

Summary

  • Add Landlock sandboxing for Linux 5.13+ to restrict filesystem/network access after initialization
  • Drop CAP_NET_RAW capability after pcap socket opened (defense-in-depth)
  • Block TCP bind/connect on kernel 6.4+ (RustNet is passive, doesn't need outbound connections)
  • Add --no-sandbox and --sandbox-strict CLI options
  • Show privilege info (UID/Administrator status) on non-Linux platforms
  • Add comprehensive SECURITY.md documentation

Test plan

  • Verified Landlock blocks /tmp writes after sandbox enabled
  • Tested on kernel 6.4+ with network restrictions
  • Tested graceful degradation in Docker (seccomp blocks landlock syscall)
  • Verified --no-sandbox disables sandboxing
  • Verified packet capture continues after CAP_NET_RAW dropped

@domcyrus
feat: add Landlock sandbox and capability dropping for Linux
bea27d0 
- Restrict filesystem access to /proc only after initialization
- Block TCP bind/connect on kernel 6.4+ (network sandbox)
- Drop CAP_NET_RAW after pcap handle opened
- Add --no-sandbox and --sandbox-strict CLI options
- Show privilege info on non-Linux platforms in UI
- Add SECURITY.md documentation
@domcyrus
fix: remove unused set_sandbox_info and hide Landlock line on non-Linux
8654834
@domcyrus domcyrus force-pushed the feat/landlock-sandbox branch from a75f3f6 to 8654834 Compare December 6, 2025 15:57
@domcyrus
fix: gate SandboxInfo to Linux only to fix clippy warnings
b476ae1
@domcyrus
fix: add is_admin() function for Windows builds
47f32be 
The Windows build was failing because ui.rs called crate::is_admin()
but the function didn't exist. Added the implementation using Windows
Security API to check if the process has elevated privileges.

Also added Win32_Security feature to windows crate dependencies.
@domcyrus
fix: add is_admin() to main.rs for Windows binary crate
02a0275 
The previous fix added is_admin() to lib.rs but ui.rs is compiled
as part of the binary crate (main.rs), not the library crate.
Added the function to main.rs so crate::is_admin() resolves correctly.
@domcyrus domcyrus merged commit 5a059a3 into main Dec 6, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@domcyrus