Discover and explore top open-source AI tools and projects—updated daily.
multikernelLightweight Linux process sandbox for secure execution
Top 95.0% on SourcePulse
Sandlock provides a lightweight, process-based sandbox for Linux, designed to confine untrusted code with minimal overhead. It targets developers and users needing strict isolation without the complexity of containers or VMs, offering rapid startup times and robust security through advanced Linux kernel features.
How It Works
Sandlock leverages Linux Landlock (filesystem, network, IPC), seccomp-bpf (syscall filtering), and seccomp user notification for resource limits and IP enforcement. Its architecture, implemented in Rust, avoids root privileges, cgroups, and container runtimes. A key feature is its Copy-on-Write (COW) filesystem, which automatically protects the working directory without requiring mount namespaces or root. This approach yields significantly faster startup times (~5ms) compared to traditional container solutions.
Quick Start & Requirements
cargo build --release), install CLI (cargo install --path crates/sandlock-cli), or install Python SDK (pip install -e . in python/).sandlock run [options] -- <command>. Examples cover basic confinement, interactive shells, resource limits, and network policies.Highlighted Details
--net-allow/--net-deny and HTTP-level ACLs, including zero-config HTTPS MITM.--dry-run mode for previewing changes, and --chroot support.policy_fn enables runtime inspection and modification of sandbox permissions.Maintenance & Community
No specific details on maintainers, community channels (e.g., Discord, Slack), or roadmap were found in the provided README.
Licensing & Compatibility
The license for Sandlock is not explicitly stated in the README. This omission requires further investigation for commercial or derivative use.
Limitations & Caveats
1 day ago
Inactive
eugene1g
superradcompany