# landstrip
`landstrip` runs a command in an OS-level sandbox using Landlock LSM on Linux,
Seatbelt on macOS, and LPAC AppContainer on Windows. It accepts the Anthropic
Sandbox Runtime JSON subset as the policy.
Backends compared:
| Policy | path based rules | file based rules | access control list (ACL) |
| Timing | dynamic subset of paths | file based static ruleset | persistent ACLs |
| TCP | localhost proxy ports | loopback proxy ports | unsupported |
| Unix sockets | allowlist | allowlist via seccomp broker | unsupported |
Windows uses an AppContainer. The backend grants the generated AppContainer SID
access to the lowered read and write roots, so Windows policies must use
explicit read allowlists. Fine-grained TCP and Unix socket policies are rejected
until Windows enforcement exists.
## Network Policy
Sandbox mode denies direct network access by default. Proxy ports, local binding,
and Unix sockets can be allowed with the Anthropic Sandbox Runtime network fields.
For a filesystem-only sandbox with unrestricted direct network access, set:
```json
{
"network": {
"allowNetwork": true
}
}
```
On Linux and macOS, `allowNetwork` disables landstrip network enforcement while
leaving filesystem policy enforcement in place. Windows rejects unrestricted
network policies until Windows network support exists.
## Licensing
`landstrip` is licensed under `LGPL-2.1-or-later`.