sandboxec A lightweight command sandbox for Linux, built on Landlock. No daemon. No root. No image build step. Use it to run risky commands with a tighter blast radius: third-party CLIs, untrusted scripts, generated code, and one-off tooling. Purpose Running untrusted code is often an all-or-nothing choice. Containers and VMs are great tools, but they can be too much for quick command-level isolation. Containers add image and runtime overhead. VMs add stronger isolation with higher setup and resource cost. sandboxec focuses on a narrower job: sandbox one command on the current host, with low overhead and explicit allow rules. Why sandboxec? Sandbox existing binaries without modifying application code. Restrict filesystem and TCP access with allow-list rules. Apply policy right before command execution, so child processes inherit restrictions. Keep local workflows simple for CI jobs, local scripts, and developer tooling. When to use it? Good fit: Running a third-party CLI against a local repo. Executing generated code in CI. Testing install scripts before trusting them with full host access. Wrapping build tools that only need a small slice of the filesystem. When't? You need stronger isolation boundaries than Landlock process sandboxing. You need multi-tenant isolation between untrusted users/workloads. You need resource isolation/quotas (CPU, memory, disk, I/O). You need custom root filesystems, full runtime images, or OS-level virtualization. Use containers or VMs for those cases. Requirements Linux kernel >= 5.13+ (Landlock support enabled) Kernel compatibility Capability Landlock ABI Typical minimum kernel Filesystem restrictions v1+ 5.13+ TCP bind/connect restrictions v4+ 6.7+ Scoped restrictions ( --restrict-scoped ) v6+ newer kernels only Security model sandboxec limits what a process can: Read / Write / Execute on the filesystem. Bind / Connect on the network (TCP). Restrictions are applied immediately before launching the target command. Once set, those restrictions apply to that process and its children. Important It's designed to reduce damage from buggy, risky, or malicious user-space programs by narrowing what they can touch, hence it does NOT protect against: Kernel bugs or privileged local attackers. Resource exhaustion (CPU, memory, disk). Every possible host interaction outside configured Landlock controls. Treat it as a practical containment layer. Install Using Go compiler: go install go.dw1.io/sandboxec@v0.2.1 Note Requires Go 1.24.0 or later. Or download a pre-built binary from releases page . Or build from source: Warning The master branch contains the latest code changes and updates, which might not have undergone thorough testing and quality assurance - thus, you may encounter instability or unexpected behavior. git clone https://github.com/dwisiswant0/sandboxec.git cd sandboxec/ # git checkout [VERSION] make build # ./bin/sandboxec --help Usage sandboxec [OPTIONS] [COMMAND [ARG...]] Examples: sandboxec --fs rx:/usr /usr/bin/echo hello sandboxec --fs rx:/usr -- /usr/bin/ls /usr sandboxec --fs rx:/usr --net c: < PORT > -- /usr/bin/curl http://127.0.0.1: < PORT > sandboxec --mode mcp --fs rx:/usr --fs rw: $PWD --net c:443 Options Option Description -c, --config Path to YAML config file. -f, --fs RIGHTS:PATH Add filesystem rule (repeatable). -n, --net RIGHTS:PORT Add network rule (repeatable). --abi int Force specific Landlock ABI version (0 for default). --best-effort Continue even if the kernel lacks support for some features. --ignore-if-missing Do not fail if a rule path does not exist. --restrict-scoped Enable scoped IPC restrictions (requires ABI v6+). --unsafe-host-runtime Allow read_exec rights for host runtime paths. -m, --mode string Execution mode ( run or mcp ). Default: run . -V, --version Show app version. -h, --help Show help. Available MCP tools: exec : Execute a command and return stdout , stderr , and exit_code . Input: command (required), args (optional array). Execution path uses sandboxec runtime with effective policy derived from CLI flags or YAML config. Note --restrict-scoped requires Landlock ABI v6+. --unsafe-host-runtime broadens allowed runtime & library access and weakens least-privilege guarantees. In --mode mcp , no wrapped command arguments are accepted. Rule format Filesystem rules Format: RIGHTS:PATH Accepted rights: read or r read_exec or rx write or w read_write or rw read_write_exec or rwx Note Filesystem restrictions require Landlock support (Linux 5.13+). Network rules Format: RIGHTS:PORT Accepted rights: bind or b connect or c bind_connect or bc Note Network restrictions ( bind / connect ) require newer Landlock support (ABI v4+, typically Linux 6.7+). Important If the running kernel does not support requested features, use --best-effort to degrade gracefully. Rule behavior Rules are allow-list based: if it is not allowed, it is denied. It is what it is. Multiple --fs and --net entries are cumulative. Rules should include every runtime dependency ...