@landstrip/landstrip 0.14.5 → 0.14.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +19 -9
  2. package/package.json +5 -5
package/README.md CHANGED
@@ -25,13 +25,23 @@ binary package.
25
25
  | ------------ | ------------------------ | ---------------------------- | ------------------------------- |
26
26
  | Policy | path based rules | file based rules | access control list (ACL) |
27
27
  | Timing | dynamic subset of paths | file based static ruleset | persistent ACLs |
28
- | TCP | localhost proxy ports | loopback proxy ports | unsupported |
29
- | Unix sockets | allowlist | allowlist via seccomp broker | unsupported |
28
+ | TCP | localhost proxy ports | loopback proxy ports | allow all or deny all |
29
+ | Unix sockets | allowlist | allowlist via seccomp broker | allow all or deny all |
30
30
 
31
- Windows uses an AppContainer. The platform grants the generated AppContainer SID
32
- access to the lowered read and write roots, so Windows policies must use
33
- explicit read allowlists. Fine-grained TCP and Unix socket policies are rejected
34
- until Windows enforcement exists.
31
+ ### Windows AppContainer
32
+
33
+ Win32 API provides AppContainer for application level sandboxing. The platform
34
+ grants the generated AppContainer SID access to the lowered read and write
35
+ roots, so Windows policies must use explicit read allowlists.
36
+
37
+ With the current knowledge, the network access is gated by the AppContainer
38
+ capabilities. That said, this might also be due my limited knowledge of Win32
39
+ API.
40
+
41
+ `allowNetwork` grants the internet and private-network capabilities, while the
42
+ default container holds none and denies all network access. Fine-grained TCP and
43
+ Unix socket policies are rejected because the container cannot enforce them in
44
+ the process granularity.
35
45
 
36
46
  ## Policy Format
37
47
 
@@ -72,9 +82,9 @@ For a filesystem-only sandbox with unrestricted direct network access, set:
72
82
  }
73
83
  ```
74
84
 
75
- On Linux and macOS, `allowNetwork` disables landstrip network enforcement while
76
- leaving filesystem policy enforcement in place. Windows rejects unrestricted
77
- network policies until Windows network support exists.
85
+ `allowNetwork` disables landstrip network enforcement while leaving filesystem
86
+ policy enforcement in place. On Windows this grants the AppContainer its network
87
+ capabilities; without it the container denies all network access.
78
88
 
79
89
  ## Error Output
80
90
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@landstrip/landstrip",
3
- "version": "0.14.5",
3
+ "version": "0.14.6",
4
4
  "description": "Sandbox runner using Landlock, Seatbelt, and AppContainer",
5
5
  "license": "Apache-2.0 AND LGPL-2.1-or-later",
6
6
  "homepage": "https://github.com/landstrip/landstrip#readme",
@@ -24,10 +24,10 @@
24
24
  "LICENSE-LGPL-2.1"
25
25
  ],
26
26
  "optionalDependencies": {
27
- "@landstrip/landstrip-darwin-arm64": "0.14.5",
28
- "@landstrip/landstrip-darwin-x64": "0.14.5",
29
- "@landstrip/landstrip-linux-x64": "0.14.5",
30
- "@landstrip/landstrip-win32-x64": "0.14.5"
27
+ "@landstrip/landstrip-darwin-arm64": "0.14.6",
28
+ "@landstrip/landstrip-darwin-x64": "0.14.6",
29
+ "@landstrip/landstrip-linux-x64": "0.14.6",
30
+ "@landstrip/landstrip-win32-x64": "0.14.6"
31
31
  },
32
32
  "publishConfig": {
33
33
  "access": "public"