landstrip
landstrip runs a command in an OS-level sandbox using Landlock LSM on Linux,
Seatbelt on macOS, and LPAC AppContainer on Windows. It accepts the Anthropic
Sandbox Runtime JSON subset as the policy.
Backends compared:
| Area | macOS | Linux | Windows |
|---|---|---|---|
| Policy | path based rules | file based rules | access control list (ACL) |
| Timing | dynamic subset of paths | file based static ruleset | persistent ACLs |
| TCP | localhost proxy ports | loopback proxy ports | unsupported |
| Unix sockets | allowlist | allowlist via seccomp broker | unsupported |
Windows uses an AppContainer. The backend grants the generated AppContainer SID access to the lowered read and write roots, so Windows policies must use explicit read allowlists. Fine-grained TCP and Unix socket policies are rejected until Windows enforcement exists.
Network Policy
Sandbox mode denies direct network access by default. Proxy ports, local binding, and Unix sockets can be allowed with the Anthropic Sandbox Runtime network fields.
For a filesystem-only sandbox with unrestricted direct network access, set:
On Linux and macOS, allowNetwork disables landstrip network enforcement while
leaving filesystem policy enforcement in place. Windows rejects unrestricted
network policies until Windows network support exists.
Development
Commit messages
<subsystem>: <message>- Long description for non-trivial changes.
- Kernel style commit messages.
Signed-off-by
Documenting errors
The following snippet demonstrates the recommended pattern for documenting the return values on error:
/// # Errors
///
/// Returns [`<variant's unqualified name>`](<variant's unqualified name>)
/// Returns ...
Licensing
landstrip is licensed under LGPL-2.1-or-later.