@landstrip/landstrip 0.14.5 → 0.14.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +42 -11
  2. package/package.json +5 -5
package/README.md CHANGED
@@ -23,15 +23,30 @@ binary package.
23
23
 
24
24
  | Area | macOS | Linux | Windows |
25
25
  | ------------ | ------------------------ | ---------------------------- | ------------------------------- |
26
- | Policy | path based rules | file based rules | access control list (ACL) |
27
- | Timing | dynamic subset of paths | file based static ruleset | persistent ACLs |
28
- | TCP | localhost proxy ports | loopback proxy ports | unsupported |
29
- | Unix sockets | allowlist | allowlist via seccomp broker | unsupported |
26
+ | Policy | path based rules | file based rules | per-run AppContainer ACLs |
27
+ | Timing | dynamic subset of paths | file based static ruleset | per-run ACL grants |
28
+ | TCP | localhost proxy ports | loopback proxy ports | allow all or deny all |
29
+ | Unix sockets | allowlist | allowlist via seccomp broker | allow all or deny all |
30
30
 
31
- Windows uses an AppContainer. The platform grants the generated AppContainer SID
32
- access to the lowered read and write roots, so Windows policies must use
33
- explicit read allowlists. Fine-grained TCP and Unix socket policies are rejected
34
- until Windows enforcement exists.
31
+ ### Windows AppContainer
32
+
33
+ Win32 API provides AppContainer for application level sandboxing. The platform
34
+ creates a per-run LPAC AppContainer profile, grants its SID access to the lowered
35
+ read and write roots, and removes those grants after the sandboxed process tree
36
+ exits. Windows policies must use explicit read allowlists.
37
+
38
+ Landstrip assigns the sandboxed process to a Job Object with
39
+ `KILL_ON_JOB_CLOSE`, so child processes are kept in the sandbox process tree and
40
+ are terminated when the launcher exits.
41
+
42
+ `allowNetwork` grants the internet and private-network AppContainer
43
+ capabilities, while the default container holds none and denies all network
44
+ access.
45
+
46
+ AppContainer capabilities are coarse: fine-grained TCP policies by host or port
47
+ require Windows Filtering Platform rules keyed by the AppContainer SID. I.e.,
48
+ this would require elevated privileges, which is not sustainable for a agent
49
+ sandbox runtime, which should rely on unprivileged tools and techniques.
35
50
 
36
51
  ## Policy Format
37
52
 
@@ -57,6 +72,22 @@ network:
57
72
  allowNetwork: true
58
73
  ```
59
74
 
75
+ Windows-only hardening options live under `windows`. They are optional because
76
+ some tools, shells, JITs, and GUI helpers may rely on the blocked behaviors:
77
+
78
+ ```json
79
+ {
80
+ "windows": {
81
+ "disableWin32k": true,
82
+ "disableExtensionPoints": true,
83
+ "strictHandleChecks": true,
84
+ "imageLoadNoRemote": true,
85
+ "imageLoadNoLowLabel": true,
86
+ "imageLoadPreferSystem32": true
87
+ }
88
+ }
89
+ ```
90
+
60
91
  ## Network Policy
61
92
 
62
93
  Sandbox mode denies direct network access by default. Proxy ports, local binding,
@@ -72,9 +103,9 @@ For a filesystem-only sandbox with unrestricted direct network access, set:
72
103
  }
73
104
  ```
74
105
 
75
- On Linux and macOS, `allowNetwork` disables landstrip network enforcement while
76
- leaving filesystem policy enforcement in place. Windows rejects unrestricted
77
- network policies until Windows network support exists.
106
+ `allowNetwork` disables landstrip network enforcement while leaving filesystem
107
+ policy enforcement in place. On Windows this grants the AppContainer its network
108
+ capabilities; without it the container denies all network access.
78
109
 
79
110
  ## Error Output
80
111
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@landstrip/landstrip",
3
- "version": "0.14.5",
3
+ "version": "0.14.7",
4
4
  "description": "Sandbox runner using Landlock, Seatbelt, and AppContainer",
5
5
  "license": "Apache-2.0 AND LGPL-2.1-or-later",
6
6
  "homepage": "https://github.com/landstrip/landstrip#readme",
@@ -24,10 +24,10 @@
24
24
  "LICENSE-LGPL-2.1"
25
25
  ],
26
26
  "optionalDependencies": {
27
- "@landstrip/landstrip-darwin-arm64": "0.14.5",
28
- "@landstrip/landstrip-darwin-x64": "0.14.5",
29
- "@landstrip/landstrip-linux-x64": "0.14.5",
30
- "@landstrip/landstrip-win32-x64": "0.14.5"
27
+ "@landstrip/landstrip-darwin-arm64": "0.14.7",
28
+ "@landstrip/landstrip-darwin-x64": "0.14.7",
29
+ "@landstrip/landstrip-linux-x64": "0.14.7",
30
+ "@landstrip/landstrip-win32-x64": "0.14.7"
31
31
  },
32
32
  "publishConfig": {
33
33
  "access": "public"