Conversation
Jarkko Sakkinen
jarkko
Edited 9 days ago
Landstrip 0.8.2 creates sandbox from Anthropic Sandbox Runtime (ASR) compatible JSON policy.
Enabled platforms now include:
1. Linux (landlock with seccomp notifications)
2. macOS (Seatbelt FFI calls)
3. Windows (AppContainer profiles with ACLs)
It's a single-binary sandbox solution i.e., one which does not create confusing to audit topology for threat scenarios.
An additional (but easy to manage like e.g., Landstrip) binary is still required to have any kind of meaningful security, given that only correct topology can realize the coding agent and sandbox not sharing the attack surface.
They are BOTH disjoint executable files and process entities at run-time, which is highly important.
When we create operating systems, this topology allows e.g., to fine-tune process rights (could be for example SELinux profile) separately for coding agents and sandboxes.
Properly implemented sandbox provides the first encounter intrusion detection layer for malicious applications. This is why thinking the layers of defence in system and process level is a priority.
https://crates.io/crates/landstrip/0.8.2
#anthropic #sandbox #runtime
Enabled platforms now include:
1. Linux (landlock with seccomp notifications)
2. macOS (Seatbelt FFI calls)
3. Windows (AppContainer profiles with ACLs)
It's a single-binary sandbox solution i.e., one which does not create confusing to audit topology for threat scenarios.
An additional (but easy to manage like e.g., Landstrip) binary is still required to have any kind of meaningful security, given that only correct topology can realize the coding agent and sandbox not sharing the attack surface.
They are BOTH disjoint executable files and process entities at run-time, which is highly important.
When we create operating systems, this topology allows e.g., to fine-tune process rights (could be for example SELinux profile) separately for coding agents and sandboxes.
Properly implemented sandbox provides the first encounter intrusion detection layer for malicious applications. This is why thinking the layers of defence in system and process level is a priority.
https://crates.io/crates/landstrip/0.8.2
#anthropic #sandbox #runtime
2
1
1
@jarkko I'm curious how does one use it / install it ?
1
0
1
Jarkko Sakkinen
jarkko
@Aissen E.g.,
❯ landstrip cargo test
{
"filesystem": {
"allowWrite": [".", "~/.cargo"],
"denyWrite": [".git/hooks"],
"denyRead": ["~/.ssh"],
"allowRead": ["~/.ssh/config"]
},
"network": {
"httpProxyPort": 8080,
"socksProxyPort": 8081,
"allowLocalBinding": false,
"allowUnixSockets": ["/run/user/1000/agent.sock"],
"allowAllUnixSockets": false
}
}
Finished `test` profile [unoptimized + debuginfo] target(s) in 0.03s
Running unittests src/main.rs (target/debug/deps/landstrip-5467b4d0d80bb461)
running 0 tests
test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s
I had to fix couple of bugs to response (stdin fallback) so I guess it was a valid question :-) This should have tests yes but I don't like to add them while ramping up a structure because they tend to sometimes do unfavor to architecture.
It's better to do first maybe a bit unstable but architecturally sustainable :-) I'll release 0.8.3.
❯ landstrip cargo test
{
"filesystem": {
"allowWrite": [".", "~/.cargo"],
"denyWrite": [".git/hooks"],
"denyRead": ["~/.ssh"],
"allowRead": ["~/.ssh/config"]
},
"network": {
"httpProxyPort": 8080,
"socksProxyPort": 8081,
"allowLocalBinding": false,
"allowUnixSockets": ["/run/user/1000/agent.sock"],
"allowAllUnixSockets": false
}
}
Finished `test` profile [unoptimized + debuginfo] target(s) in 0.03s
Running unittests src/main.rs (target/debug/deps/landstrip-5467b4d0d80bb461)
running 0 tests
test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s
I had to fix couple of bugs to response (stdin fallback) so I guess it was a valid question :-) This should have tests yes but I don't like to add them while ramping up a structure because they tend to sometimes do unfavor to architecture.
It's better to do first maybe a bit unstable but architecturally sustainable :-) I'll release 0.8.3.
1
0
0
@Aissen I try to interrept same way as Seatbelt does in Anthtropic Sandbox Runtime, which Anthropic itself does not properly do in Linux. My choice is based on spread instead of looking perfect model for policy. Overall it's not too bad. E.g. network limitations do make sense to me.
This article explains quite well the concepts of filesystem and network isolation:
https://www.anthropic.com/engineering/claude-code-sandboxing
The difference is that I take only concept and Landstrip realizes that as an implementation of a sandbox.
This article explains quite well the concepts of filesystem and network isolation:
https://www.anthropic.com/engineering/claude-code-sandboxing
The difference is that I take only concept and Landstrip realizes that as an implementation of a sandbox.
1
0
1
@Aissen Anthropic is an evil actor in security. Their software is bad and also they use offensive social engineering as marketing strategy i.e., I consider that company as a blackhat actor despite having legal business activities.
I don't like to use their stuff. Still, this makes sense to me :-)
I don't like to use their stuff. Still, this makes sense to me :-)
1
0
0