Sandbox

Landlock-based sandbox using landrun-agent wrapper.

Quick Reference

bash

# Sandboxed by default (shell functions)
pi                              # sandboxed pi
claude                          # sandboxed claude

# Generic sandbox
sandbox npm install             # sandbox any command
sandbox --rw ./dist npm build   # with extra write path

# Escape hatches (use sparingly)
unsafe-pi                       # unsandboxed
unsafe-claude

Per-Project Config

Create .sandbox in project root:

code

rw:./dist,./build              # extra read-write paths
ro:~/.aws                      # extra read-only paths
env:DATABASE_URL               # extra env vars
tcp:5432                       # extra TCP ports (443,80 default)

Debugging

bash

# See full landrun command
DEBUG=1 pi 2>&1 | head -20

# Check permission errors
strace -f landrun-agent --rw . pi 2>&1 | grep EPERM

# Verbose landrun
landrun --log-level debug --ldd --add-exec --ro /usr,/lib --rw . $(which pi)

Default Permissions

Read+exec: /usr, /lib, /bin, ~/.local/bin, ~/.local/share, ~/.cargo/bin, /run/user Read-only: /etc/ssl, ~/.pi, ~/.claude, ~/.cache, ~/.gitconfig, ~/.config/git Write: None (must pass --rw or use .sandbox) Network: TCP 443, 80 Env vars: HOME, USER, PATH, TERM, LANG, OPENAI_API_KEY, ANTHROPIC_API_KEY, GITHUB_TOKEN

Protected by omission: ~/.ssh, ~/.gnupg, ~/.aws, ~/.config/gh, ~/.password-store

Troubleshooting

Issue	Solution
Permission denied	Check if path is in RO/RW allowlist
Library not found	`--ldd` should handle; check `ldd $(which cmd)`
Network blocked	Kernel 6.7+ required; check `uname -r`
Need full access	Use `unsafe-pi` / `unsafe-claude` consciously

Limitations

•Port-based network filtering only (no domain filtering)
•No glob patterns (Landlock uses concrete paths)
•--rw ~ defeats the purpose - keep writes minimal