Skip to main content

Crate nono

Crate nono 

Source
Expand description

nono - Capability-based sandboxing library

This library provides OS-level sandboxing using Landlock (Linux) and Seatbelt (macOS) for capability-based filesystem and network isolation.

§Overview

nono is a pure sandboxing primitive - it provides the mechanism for OS-enforced isolation without imposing any security policy. Clients (CLI tools, language bindings) define their own policies.

§Example

use nono::{CapabilitySet, AccessMode, Sandbox};

fn main() -> nono::Result<()> {
    // Build capability set - client must add ALL paths, including system paths
    let caps = CapabilitySet::new()
        // System paths for executables to run
        .allow_path("/usr", AccessMode::Read)?
        .allow_path("/lib", AccessMode::Read)?
        .allow_path("/bin", AccessMode::Read)?
        // User paths
        .allow_path("/project", AccessMode::ReadWrite)?
        .block_network();

    // Check platform support
    let support = Sandbox::support_info();
    if !support.is_supported {
        eprintln!("Warning: {}", support.details);
    }

    // Apply sandbox - this is irreversible
    Sandbox::apply(&caps)?;

    // Now running sandboxed...
    Ok(())
}

§Platform Support

  • Linux: Uses Landlock LSM (kernel 5.13+)
  • macOS: Uses Seatbelt sandbox
  • Other platforms: Returns UnsupportedPlatform error

Re-exports§

pub use capability::AccessMode;
pub use capability::CapabilitySet;
pub use capability::CapabilitySource;
pub use capability::FsCapability;
pub use diagnostic::DenialReason;
pub use diagnostic::DenialRecord;
pub use diagnostic::DiagnosticFormatter;
pub use diagnostic::DiagnosticMode;
pub use error::NonoError;
pub use error::Result;
pub use keystore::load_secrets;
pub use keystore::LoadedSecret;
pub use sandbox::Sandbox;
pub use sandbox::SupportInfo;
pub use state::SandboxState;
pub use supervisor::ApprovalBackend;
pub use supervisor::ApprovalDecision;
pub use supervisor::CapabilityRequest;
pub use supervisor::NeverGrantChecker;
pub use supervisor::SupervisorSocket;

Modules§

capability
Capability model for filesystem and network access
diagnostic
Diagnostic output formatter for sandbox policy.
error
Error types for the nono library
keystore
Secure credential loading from system keystore
query
Query API for checking sandbox permissions
sandbox
OS-level sandbox implementation
state
Sandbox state persistence
supervisor
Supervisor IPC for runtime capability expansion
undo
Undo system: content-addressable snapshots with Merkle tree integrity