sandlock  by multikernel

Lightweight Linux process sandbox for secure execution

Created 3 months ago
270 stars

Top 95.0% on SourcePulse

GitHubView on GitHub
1 Expert Loves This Project
Project Summary

Sandlock provides a lightweight, process-based sandbox for Linux, designed to confine untrusted code with minimal overhead. It targets developers and users needing strict isolation without the complexity of containers or VMs, offering rapid startup times and robust security through advanced Linux kernel features.

How It Works

Sandlock leverages Linux Landlock (filesystem, network, IPC), seccomp-bpf (syscall filtering), and seccomp user notification for resource limits and IP enforcement. Its architecture, implemented in Rust, avoids root privileges, cgroups, and container runtimes. A key feature is its Copy-on-Write (COW) filesystem, which automatically protects the working directory without requiring mount namespaces or root. This approach yields significantly faster startup times (~5ms) compared to traditional container solutions.

Quick Start & Requirements

  • Installation: Build from source (cargo build --release), install CLI (cargo install --path crates/sandlock-cli), or install Python SDK (pip install -e . in python/).
  • Prerequisites: Linux kernel 6.12+ (for Landlock ABI v6), Rust 1.70+ (for building). Python 3.8+ for SDK. No root or cgroups required.
  • Usage: Primary command is sandlock run [options] -- <command>. Examples cover basic confinement, interactive shells, resource limits, and network policies.

Highlighted Details

  • Performance: Startup times around 5ms, with Redis performance at 97.1% of bare metal. COW fork supports ~1,900 forks/sec.
  • Security: Advanced Linux kernel features (Landlock, seccomp) provide granular control without root.
  • Networking: Sophisticated network policies via --net-allow/--net-deny and HTTP-level ACLs, including zero-config HTTPS MITM.
  • Filesystem: COW filesystem for isolated writes, --dry-run mode for previewing changes, and --chroot support.
  • Dynamic Policy: policy_fn enables runtime inspection and modification of sandbox permissions.
  • Port Virtualization: Allows multiple sandboxes to bind the same port transparently.

Maintenance & Community

No specific details on maintainers, community channels (e.g., Discord, Slack), or roadmap were found in the provided README.

Licensing & Compatibility

The license for Sandlock is not explicitly stated in the README. This omission requires further investigation for commercial or derivative use.

Limitations & Caveats

  • Platform Dependency: Strictly Linux-only, requiring a kernel version of 6.12 or higher for full Landlock feature support.
  • Build Requirements: Building from source necessitates a Rust development environment.
  • License Uncertainty: The absence of a specified license is a significant blocker for adoption without clarification.
Health Check
Last Commit

1 day ago

Responsiveness

Inactive

Pull Requests (30d)
32
Issues (30d)
5
Star History
66 stars in the last 30 days

Explore Similar Projects

Feedback? Help us improve.